Hey, i'm building a MariaDB Galera Cluster with 3 nodes. The traffic between the nodes and to the loadbalancer/clients should be tls encrypted. The onboard solution from MariaDB is not very smooth. So i want to stick Traefik in front of each node. I started to test this setting with Docker containers. One container for the db and one for traefik on the same host. I'm not able to get a TLS Connection to port 3306 with my client to the db. Just read that this was not possible in Traefik 2, is there a way to go in Traefik 3? My configuration is only for one node atm. I know I need more ports for the cluster.
I'm doing this atm with lokal file config cause of an other problem.
Two configs:
Static config (traefik.toml)
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
[entryPoints.mariadb1t]
address = ":3306"
[api]
dashboard = true
[providers.docker]
watch = true
network = "traefik-public"
[providers.file]
filename = "traefik_dynamic.toml"
[log]
level = "DEBUG"
format = "json"
[accessLog]
filePath = "/var/log/traefik/access.log"
format = "json"
Dynamic config (traefik_dynamic.toml)
[http]
[http.routers.api]
rule = "Host(`domainOfTheServer`)"
entrypoints = ["websecure"]
service = "api@internal"
[http.routers.api.tls]
options = "foo"
[tcp]
[tcp.routers]
[tcp.routers.mariadb1t]
entryPoints = ["mariadb1t"]
rule = "Host(`domainOfTheServer`)"
service = "mariadb1t"
[tcp.routers.mariadb1t.tls]
options = "foo"
[tcp.services]
[tcp.services.mariadb1t]
[tcp.services.mariadb1t.loadBalancer]
[[tcp.services.mariadb1t.loadBalancer.servers]]
address = "IPfromMariaDBDockerContainer:3306"
# address = "IPfromHost:6033"
# address = ":6033"
[[tls.certificates]]
certFile= "/etc/letsencrypt/live/fullchain.pem"
keyFile= "/etc/letsencrypt/live/privkey.pem"
stores = ["default"]
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "/etc/letsencrypt/live/fullchain.pem"
keyFile = "/etc/letsencrypt/live/privkey.pem"
[tls.options]
[tls.options.foo]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
MariaDB has the exposed Port 6033 and Traefik 3306. Both containers are running on the same host and have the same docker network. I tried other configurations for the tcp service address. You can see them as comment.
Without TLS it is working. As soon as i enable tls it results in an timeout for the connection. The connection directly to the 6033 Port and MariaDB is also working.