So I deployed shadowsocks-rust on kubernetes thanks to this manifest.
And here is my ingress definition for this service:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: shadowsocks-rust
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: HostSNI(`*`)
services:
- name: shadowsocks-rust
port: 8388 <--- I use 8388 instead of the default 80
tls:
certResolver: le
And websecure refers to this Traefik conf:
--entrypoints.websecure.address=:8443/tcp
My local socks5 traffic points to shadowsocks.domain.me but obviously Traefik does not route it to the TCP service (shadowsocks-rust).
Any idea how to tell traefik to correctly route my sslocal traffic to shadowsocks-rust running in k8s?
Note: if bypassing Traefik by opening a direct socket tunnel using ``kubectl port-forward pod/shadowsocks-rust-6ff96bd5dc-qnppw 8388:8388``` it actually works, but requires kubectl...
Thanks a lot!
Edit: replace IngressRoute by IngressRouteTCP. Still not working
That is because you are not using the right port in the IngressRouteTCP definition. The shadowsocks-rust service exposes the port 80 and packets to port 8388 on shadowsocks-rust pod , as shown here.
The configuration should look like the following:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: shadowsocks-rust
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: HostSNI(`*`)
services:
- name: shadowsocks-rust
port: 80 <--- Fix the port
tls:
certResolver: le
That's why my ingressRouteTCP port is set to 8388.
Also, If bypassing Traefik by running kubectl port-forward pod/shadowsocks-rust-6ff96bd5dc-qnppw 8388:8388 (effectively mapping local 8388 to ss-rust pod 8388 port) works! (ie: I can then route traffic to my 127.0.0.1:8388 socks proxy, and it correctly exits through the remote ss-rust pod, checking my IP confirms this).
That's why I suspect the problem to be related to myTraefik config somehow...
Changing the port in the ConfigMap modifies only the port inside the shadowsocks-rust and that's why it is possible to do a port-forward in the pod on port 8388.
But the port exposed by the Kubernetes service names is 80 as shown below.
# Source: shadowsocks-rust/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: shadowsocks-rust
labels:
helm.sh/chart: shadowsocks-rust-0.1.0
app.kubernetes.io/name: shadowsocks-rust
app.kubernetes.io/instance: shadowsocks-rust
app.kubernetes.io/version: "1.x.x"
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
- name: ss-8388
targetPort: 8388 # <-- This is the port of the Pod
protocol: TCP
port: 80 # <-- This is the port exposed by the service which should be referenced in the Ingress
selector:
app.kubernetes.io/name: shadowsocks-rust
app.kubernetes.io/instance: shadowsocks-rust
This means that kubectl port-forward service/shadowsocks-rust 80:80 should work while, kubectl port-forward service/shadowsocks-rust 8388:8388 should not.
I'm not sure which dashboard you are talking about. Shadowsocks-rust doesn't have any HTTP dashboard.
That's why I think the websecure entryPoints with le tls might be useless in this case? (even though I don't think the entryPoints makes any assumption on the protocol used to connect, http or tcp right?)
If you were talking about the Traefik dashboard, here are two screenshots:
But log entries seem to appear randomly (at least not related to my connection tries).
And looking at Traefik logs, again, no log entry appear when I try to connect to shadowsocks.domain.me:443 from my shadowsocks client.
And when bypassing Traefik altogether using kubectl port-forward service/shadowsocks-rust 8388:8388 works as I said, and if checking my IP on https://whatismyipaddress.com/, here are the ss-rust logs:
Even though ss-rust reports an error, I can actually redirect my browser traffic through the socks5 proxy.
What I'm trying to achieve is to connect to ss-rust using a domain name and preferably port 443 (shadowsocks.domain.me:443instead of kubectl port-forward + 127.0.0.1:3383).
I'm not sure which dashboard you are talking about. Shadowsocks-rust doesn't have any HTTP dashboard.
Sorry, I meant what is the error when trying to connect to the shadowsocks server from a client?
Could you provide us the debug log (from the beginning)?
Hi @kevinpollet, sorry for the late reply. I've enabled --log.level=DEBUG for traefik, and the log error that looks related to me trying to connect to ss-rust directly via traefik + fqdn is this:
time="2023-02-06T21:50:36Z" level=debug msg="http: TLS handshake error from X.X.X.X:50800: tls: unsupported SSLv2 handshake received"
time="2023-02-06T21:51:02Z" level=error msg="Error while Hello: EOF"
time="2023-02-06T21:51:02Z" level=debug msg="http: TLS handshake error from X.X.X.X:38708: tls: first record does not look like a TLS handshake"
time="2023-02-06T21:51:02Z" level=error msg="Error while Hello: EOF"
My local ss client complains about:
2023-02-06 22:50:48 ERROR: invalid password or cipher
But the password and cipher are correct, because it works when bypassing Traefik.
And nothing is logged on the ss-rust server.
So it's like Traefik is not forwarding the TCP connection, and so local client is trying to negotiate shadowsocks connection with Traefik.
Probably that I should not use the websecure entrypoint with let'sencrypt certificate? (the websecure entrypoint scheme is https, and I guess shadowsocks is not talking https).
Probably that I should not use the websecure entrypoint with let'sencrypt certificate? (the websecure entrypoint scheme is https, and I guess shadowsocks is not talking https).
You are right, I reproduced the issue some times ago, and I had the same conclusion. My shadowsocks-rust client was not supporting TLS and I had the same errors in the Traefik logs (which is confirmed by the Traefik logs, saying that there is an error during the TLS client hello).
After removing the TLS section in my IngressRoute everything was working as expected.
time="2023-02-10T12:03:24Z" level=debug msg="Adding route shadowsocks.domain.me on TCP" routerName=default-shadowsocks-rust-cbbd5b34c18086973318@kubernetescrd entryPointName=websecure
time="2023-02-10T12:03:24Z" level=warning msg="TCP Router ignored, cannot specify a Host rule without TLS" entryPointName=websecure routerName=default-shadowsocks-rust-cbbd5b34c18086973318@kubernetescrd
And my shadowsocks client still complains with ERROR: invalid password or cipher and Traefik still complain with level=debug msg="http: TLS handshake error from XXX.XXX.XXX.XXX:XXXXXX: tls: first record does not look like a TLS handshake"
Without TLS it is not possible to do SNI routing (SNI is part of TLS), this means that you have to dedicate a TCP port for shadowsocks traffic (see Traefik Routers Documentation - Traefik).
