Traefik as reverseproxy with tls for MariaDB Galera Cluster

Traefik Traefik v3 (latest)
,
1

Hey, i'm building a MariaDB Galera Cluster with 3 nodes. The traffic between the nodes and to the loadbalancer/clients should be tls encrypted. The onboard solution from MariaDB is not very smooth. So i want to stick Traefik in front of each node. I started to test this setting with Docker containers. One container for the db and one for traefik on the same host. I'm not able to get a TLS Connection to port 3306 with my client to the db. Just read that this was not possible in Traefik 2, is there a way to go in Traefik 3? My configuration is only for one node atm. I know I need more ports for the cluster.

I'm doing this atm with lokal file config cause of an other problem.
Two configs:
Static config (traefik.toml)

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http.redirections.entryPoint]
      to = "websecure"
      scheme = "https"

  [entryPoints.websecure]
    address = ":443"
    [entryPoints.websecure.http.tls]

  [entryPoints.mariadb1t]
    address = ":3306"
[api]
  dashboard = true

[providers.docker]
  watch = true
  network = "traefik-public"

[providers.file]
  filename = "traefik_dynamic.toml"

[log]
  level = "DEBUG"
  format = "json"
  [accessLog]
    filePath = "/var/log/traefik/access.log"
    format = "json"

Dynamic config (traefik_dynamic.toml)

[http]
[http.routers.api]
  rule = "Host(`domainOfTheServer`)"
  entrypoints = ["websecure"]
  service = "api@internal"
  [http.routers.api.tls]
    options = "foo"

[tcp]
  [tcp.routers]
    [tcp.routers.mariadb1t]
      entryPoints = ["mariadb1t"]
      rule = "Host(`domainOfTheServer`)"
      service = "mariadb1t"
      [tcp.routers.mariadb1t.tls]
         options = "foo"
 [tcp.services]
    [tcp.services.mariadb1t]
    [tcp.services.mariadb1t.loadBalancer]
      [[tcp.services.mariadb1t.loadBalancer.servers]]
        address = "IPfromMariaDBDockerContainer:3306"
       # address = "IPfromHost:6033"
       # address = ":6033"

[[tls.certificates]]
certFile= "/etc/letsencrypt/live/fullchain.pem"
keyFile= "/etc/letsencrypt/live/privkey.pem"
stores = ["default"]

[tls.stores]
  [tls.stores.default]
    [tls.stores.default.defaultCertificate]
      certFile = "/etc/letsencrypt/live/fullchain.pem"
      keyFile  = "/etc/letsencrypt/live/privkey.pem"

[tls.options]
  [tls.options.foo]
    minVersion = "VersionTLS12"
    cipherSuites = [
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    ]

MariaDB has the exposed Port 6033 and Traefik 3306. Both containers are running on the same host and have the same docker network. I tried other configurations for the tcp service address. You can see them as comment.

Without TLS it is working. As soon as i enable tls it results in an timeout for the connection. The connection directly to the 6033 Port and MariaDB is also working.

2

Enable and check Traefik debug log (doc) and Traefik access log in JSON format (doc).

For tcp routers you can only use HostSNI() (doc). I am not sure if MariaDB client supports TLS with SNI, if not you need to use HostSNI(`*`).

Make sure to enable TLS in your application database connection string or options.

It seems you use TLS certs from an external LetsEncrypt service like certbot. Note that Traefik will only watch the dynamic config file, not the referenced certs AFAIK. So you would need to touch the config file to force a reload without a restart.

I recommend to switch to regular YAML config, like Docker and k8s use, saves a lot of repetition and is easier to read.

3

Thank you for your advices. Debug and accesslog are both enabled. Not entries while i try the connection.

Change to HostSNI(`*`) still no entry in logs and not working.

TLS is enabled in my client. Tried it with and without own certs.

This will be no problem. Crontjob will do this.

Started with an example toml. Will switch to YAML if it works, personally i like YAML also more.