Traefik, TLS passtrough

bbratchiv · April 16, 2021, 9:18am

Hello, I have a question regarding Traefik TLS passthrough functionality and TCP entrypoint.
My idea is to perform TLS termination on backend services (which is a web application) and have an end to end encryption.

My Traefik instance(s) is running behind AWS NLB. TLS NLB listener does TLS termination with ACM certificate and then forwards traffic to TLS target group that has Traefik instance(s) as a target.

I was planning to use TLS passthrough in Traefik with TCP router to pass encrypted traffic to backend without decrypting it. In this case Traefik returns 404 and in logs I see

level=debug msg="Serving default certificate for request: \"\""

I assume that with TLS passthrough Traefik should not decrypt anything..

Only when I change Traefik target group to TCP - things are working, but communication between AWS NLB and Traefik is not encrypted.

I would like to know your opinion on my setup and why it's not working and may be there's a better way to achieve end to end encryption. Might it be that AWS NLB doesn't send SNI back to targets after TLS termination?

I want to avoid having TLS certificates in Traefik, because the idea is to run multiple instances of it for HA.
Traefik configuration is following
I'm using v2.4.8

traefik.toml

[serversTransport]
  insecureSkipVerify = true
  # healthcheck is failing  "x509: cannot validate certificate for IP because it doesn't contain any IP SANs"
  # https://doc.traefik.io/traefik/master/routing/overview/#transport-configuration

[log]
  level = "DEBUG"

[entryPoints]
  [entryPoints.websecure]
    address = ":4433"

# Enable API and dashboard
[api]
  # Enable the API in insecure mode
  insecure = true
  # Enabled Dashboard
  dashboard = true

# Enable ping
[ping]
  # Name of the related entry point
  entryPoint = "traefik"

[providers.ecs]
  autoDiscoverClusters = true
  exposedByDefault = false
  refreshSeconds = 60

ECS task definition labels

traefik.enable=true
traefik.http.routers.sbox.priority=15
traefik.http.routers.sbox.rule=Host(`sbox.example.com`)
traefik.http.routers.sbox.entrypoints=websecure
traefik.http.services.sbox.loadbalancer.healthcheck.scheme=https
traefik.http.services.sbox.loadbalancer.healthcheck.interval=10s
traefik.http.services.sbox.loadbalancer.healthcheck.path=/
traefik.http.services.sbox.loadbalancer.server.scheme=https
traefik.tcp.routers.sbox-secured.rule=HostSNI(`sbox.example.com`)
traefik.tcp.routers.sbox-secured.entrypoints=websecure
traefik.tcp.routers.sbox-secured.tls.passthrough=true

Topic		Replies	Views
Terminating TLS and Re-encrypt Traefik v2 rancher , docker	9	1489	January 30, 2024
Impossible to passthrough tls Traefik v2 docker	4	1580	August 2, 2023
TLS passthrough, no SNI Traefik v3 (latest) docker , file	3	257	August 22, 2024
Tls.passthrough with cert possible? Traefik v2 docker	2	970	October 31, 2023
TLS.passthrough on HTTP Router - how to? Traefik v2 tcp	2	731	January 12, 2023

Traefik, TLS passtrough

Related topics