Hello, I have a question regarding Traefik TLS passthrough functionality and TCP entrypoint.
My idea is to perform TLS termination on backend services (which is a web application) and have an end to end encryption.
My Traefik instance(s) is running behind AWS NLB. TLS NLB listener does TLS termination with ACM certificate and then forwards traffic to TLS target group that has Traefik instance(s) as a target.
I was planning to use TLS passthrough in Traefik with TCP router to pass encrypted traffic to backend without decrypting it. In this case Traefik returns 404 and in logs I see
level=debug msg="Serving default certificate for request: \"\""
I assume that with TLS passthrough Traefik should not decrypt anything..
Only when I change Traefik target group to TCP - things are working, but communication between AWS NLB and Traefik is not encrypted.
I would like to know your opinion on my setup and why it's not working and may be there's a better way to achieve end to end encryption. Might it be that AWS NLB doesn't send SNI back to targets after TLS termination?
I want to avoid having TLS certificates in Traefik, because the idea is to run multiple instances of it for HA.
Traefik configuration is following
I'm using v2.4.8
[serversTransport] insecureSkipVerify = true # healthcheck is failing "x509: cannot validate certificate for IP because it doesn't contain any IP SANs" # https://doc.traefik.io/traefik/master/routing/overview/#transport-configuration [log] level = "DEBUG" [entryPoints] [entryPoints.websecure] address = ":4433" # Enable API and dashboard [api] # Enable the API in insecure mode insecure = true # Enabled Dashboard dashboard = true # Enable ping [ping] # Name of the related entry point entryPoint = "traefik" [providers.ecs] autoDiscoverClusters = true exposedByDefault = false refreshSeconds = 60
ECS task definition labels
traefik.enable=true traefik.http.routers.sbox.priority=15 traefik.http.routers.sbox.rule=Host(`sbox.example.com`) traefik.http.routers.sbox.entrypoints=websecure traefik.http.services.sbox.loadbalancer.healthcheck.scheme=https traefik.http.services.sbox.loadbalancer.healthcheck.interval=10s traefik.http.services.sbox.loadbalancer.healthcheck.path=/ traefik.http.services.sbox.loadbalancer.server.scheme=https traefik.tcp.routers.sbox-secured.rule=HostSNI(`sbox.example.com`) traefik.tcp.routers.sbox-secured.entrypoints=websecure traefik.tcp.routers.sbox-secured.tls.passthrough=true