Tls.passthrough with cert possible?

I am trying to put a well-known security vulnerability scanner behind a traefik proxy and use a TLS certificate from traefik. I would normally use an http.services but found that the application was complaining that I was accessing an HTTPS site over an HTTP connection.

I read that I needed to do a TLS passthrough but that was only possible with a tcp.router. I am now able to connect but it does not seem to be passing the TLS cert from traefik. Does TCP.router support TLS certificates ?

This is what I have been using

      - "traefik.tcp.routers.nessus.rule=HostSNI(`app.domain`)"
      - "traefik.tcp.routers.nessus.entrypoints=https"
      - "traefik.tcp.routers.nessus.tls=true"
      - "traefik.tcp.routers.nessus.tls.passthrough=true"
      - "traefik.tcp.services.nessus.loadbalancer.server.port=443"

All of my other services and hosted sites are able to use http.routers and will pul lets encrypt certs from traefik.

AFAIK a TLS passthrough is possible with a http and a tcp router. It tells Traefik that it has a TLS cert to decrypt the request to use Host() or HostSNI() and then forward the original encrypted request. This means you need to create a custom cert which Traefik and your target service use, otherwise it doesn’t work.

So this won’t work with LetsEncrypt, unless you manually export the certs from acme.json and also use them in your target service, don’t forget regular updates.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.