TLS passthrough, no SNI

exprimo · August 22, 2024, 12:00am

Hi

I'm new to traefik and I hope this is not a dumb question.

I have a client that I can't control. It connects to a service, I want to hide behind traefik via https. It checks for the self signed certificates of that service. It does not support SNI. So I need to passthrough TLS.

I first tried with a TCP router, which would not work because of the not supported SNI. Now I'm trying to use an http router. This is the config

http:
  routers:
    tc-1-https:
      entrypoints: websecure
      rule: Host(`tc.domain.me`)
      service: tc-1-https-service
  services:
    tc-1-https-service:
      loadbalancer:
        passhostheader: true
        servers:
          - url: https://172.21.0.3:443 # docker container url
        serverstransport: mytransport
  serversTransports:
    mytransport:
      serverName: tc-1-https-service
      insecureSkipVerify: true
      certificates:
        - certFile: /etc/traefik/certs/tc/tc-cert.pem
          keyFile: /etc/traefik/certs/tc/tc-key.pem
      rootCAs:
        - /etc/traefik/certs/tc/ca-root.pem

Edit: There are no traefik errors, I can see the router and service in the UI. The service is reachable through https (with a warning of course) but the certs are the default traefik certs.

Is it even possible? Any help is highly appreciated.

Thanks!

bluepuma77 · August 22, 2024, 7:16am

The client and the service already use https?

If no SNI is available, you probably need to use a TCP router with rule: HostSNI(`*`) which needs a dedicated IP or port as only a single service can be targeted.

If you don’t enable TLS for this entrypoint and router, the TLS stream is just forwarded.

If you enable TLS, you need to load the custom cert with tls section in dynamic config file and set tls: true on router and passthrough: true, otherwise Traefik will terminate TLS and just forward plain content.

exprimo · August 22, 2024, 7:59am

The service serves on https with custom certificates, the client wants to use that connection and checks the certificates. But the client does not support SNI.

I've tried to use rule: HostSNI(tc.domain.me) which did not work. Is there a difference in using a domain or a *? I don't think I can use a dedicated port (no access to the client) and no dedicated IP since the request might come from anywhere or the local network.

Sorry if I don't get teh point.

bluepuma77 · August 22, 2024, 9:22pm

Using HostSNI with domain only works when Traefik has read access to the cert, because it will try to match the domain, therefore needs to decrypt.

When using *, it will not need a TLS cert, as everything matches.

Topic		Replies	Views
Tls.passthrough with cert possible? Traefik v2 docker	2	960	October 31, 2023
Impossible to passthrough tls Traefik v2 docker	4	1556	August 2, 2023
HTTPS TLS Passthrough Traefik v2 docker	1	15188	October 14, 2021
TLS.passthrough on HTTP Router - how to? Traefik v2 tcp	2	723	January 12, 2023
TLS passthrough for HTTP router Traefik v2 docker , file	9	7427	May 10, 2023

TLS passthrough, no SNI

Related topics