Traefik, TLS passtrough


Hello, I have a question regarding Traefik TLS passthrough functionality and TCP entrypoint.
My idea is to perform TLS termination on backend services (which is a web application) and have an end to end encryption.

My Traefik instance(s) is running behind AWS NLB. TLS NLB listener does TLS termination with ACM certificate and then forwards traffic to TLS target group that has Traefik instance(s) as a target.

I was planning to use TLS passthrough in Traefik with TCP router to pass encrypted traffic to backend without decrypting it. In this case Traefik returns 404 and in logs I see

level=debug msg="Serving default certificate for request: \"\""

I assume that with TLS passthrough Traefik should not decrypt anything..

Only when I change Traefik target group to TCP - things are working, but communication between AWS NLB and Traefik is not encrypted.

I would like to know your opinion on my setup and why it's not working and may be there's a better way to achieve end to end encryption. Might it be that AWS NLB doesn't send SNI back to targets after TLS termination?

I want to avoid having TLS certificates in Traefik, because the idea is to run multiple instances of it for HA.
Traefik configuration is following
I'm using v2.4.8


  insecureSkipVerify = true
  # healthcheck is failing  "x509: cannot validate certificate for IP because it doesn't contain any IP SANs"

  level = "DEBUG"

    address = ":4433"

# Enable API and dashboard
  # Enable the API in insecure mode
  insecure = true
  # Enabled Dashboard
  dashboard = true

# Enable ping
  # Name of the related entry point
  entryPoint = "traefik"

  autoDiscoverClusters = true
  exposedByDefault = false
  refreshSeconds = 60

ECS task definition labels


1 Like