Traefik doesn't route TCP HOST SNI

bluepuma77 · December 21, 2023, 10:54am

You should be able to use LetsEncrypt certs and route both, TLS http and TLS TCP, on port 443 to target services.

If both HTTP routers and TCP routers listen to the same entry points, the TCP routers will apply before the HTTP routers. If no matching route is found for the TCP routers, then the HTTP routers will take over.

Doc

Rough example, maybe just test this:

version: '3.9'

networks:
  proxy:
    name: proxy
    #external: true

volumes:
  letsencrypt:
    name: letsencrypt

services:
  traefik:
    image: traefik:v2.10
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt
      #- /var/log:/var/log
    command:
      - --api.dashboard=true
      - --log.level=INFO
      #- --log.filepath=/var/log/traefik.log
      - --accesslog=true
      #- --accesslog.filepath=/var/log/traefik-access.log
      - --providers.docker=true
      - --providers.docker.exposedByDefault=false
      - --entryPoints.web.address=:80
      - --entryPoints.web.http.redirections.entryPoint.to=websecure
      - --entryPoints.web.http.redirections.entryPoint.scheme=https
      - --entryPoints.websecure.address=:443
      - --entrypoints.websecure.http.tls.certresolver=myresolver
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesResolvers.myresolver.acme.email=email@example.com
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.entrypoints=websecure
      - traefik.http.routers.mydashboard.rule=Host(`traefik.example.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/

  whoami:
    image: traefik/whoami:v1.10
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.entrypoints=websecure
      - traefik.http.routers.whoami.rule=Host(`whoami.example.com`)
      - traefik.http.services.whoami.loadbalancer.server.port=80

  tcpecho-le:
    image: istio/tcp-echo-server:1.2
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.tcp.routers.tcpecho.entrypoints=websecure
      - traefik.tcp.routers.tcpecho.rule=HostSNI(`tcp.example.com`)
      - traefik.tcp.routers.tcpecho.tls.certresolver=myresolver
      - traefik.tcp.services.tcpecho.loadbalancer.server.port=9000

To connect RabbitMQ, you probably still need to add port 443 to the address in the client, as https and port 443 is probably not the default.

Topic		Replies	Views
Info and installation improvement Traefik v2 docker , tcp	7	904	November 5, 2023
Traefik with TCP Routing for Postgres Docker Container Traefik v2 docker , file , tcp	0	634	May 2, 2022
Problem configuring with mssql Traefik v2 docker , tcp	3	1235	January 13, 2023
Getting TCP routers to work with Traefik Traefik v2 docker-swarm , tcp	10	2784	September 9, 2019
Traefik + Portainer Traefik v2 docker , tcp	3	9320	October 5, 2023

Traefik doesn't route TCP HOST SNI

Related topics