TLS Pasthrough not working

Hi, I created a TLS router with TLS passthrough as follows
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: test
namespace: test-qa
spec:
entryPoints:

• websecure
  routes:
• match: HostSNIRegexp({subdomain:[a-zA-Z0-9-]+}\.test\.com$)
  services:
  • name: test
    namespace: test-qa
    port: 8080
    tls:
    passthrough: true

When i curl my website curl -v https://domain1.test.com/api/test/v1/ I see 404 page not found error. In traefik logs I see the following
time="2024-04-01T12:14:45Z" level=debug msg="Serving default certificate for request: "domain1.test.com""

10.245.5.0 - - [01/Apr/2024:12:14:45 +0000] "GET /api/test/v1/ HTTP/2.0" 404 19 "-" "-" 22201 "-" "-" 0ms

couple of questions here -

1. I am not sure if traefik is forwarding just the path to the backend and getting 404 or is it passing the host+path to the backend and getting 404. I don't see any access logs on my backend envoy running on port 8080...
2. I don't see this TCProuter on traefik dashboard where as i see the other HTTP routers I have.

From Traefik Docker I know you can set access log to JSON format to see differentiated OriginStatus (from target) and DownstreamStatus (from Traefik).

I was able to fix the 2nd issue above by adding annotations of ingress controller on my ingressroutetCP resource.

I still see 404 page not found errors. Instead of using HostSNIRegexp({subdomain:[a-zA-Z0-9-]+}\.test\.com$), I updated to HostSNI(*) and I was able to hit the backend successfully. Not sure why it is not working with domain name? Any idea @bluepuma77

No idea, not a fan of Traefik regex.

HostSNIRegexp({subdomain:[a-zA-Z0-9-]+}.test.com ) this worked

I had the exact same issue, and appears to be a bug, that TLS-Passthrough does not work at all if you use HostSNIRegexp. The only solution I found is to add each subdomian individually and just use HostSNI(), for tls passthrough.