Traefik TLSOption clientAuth returns 404 (mTLS)

Hi all,

I'm attempting to implement a basic mTLS example in my Kubernetes cluster, following the docs here: https://doc.traefik.io/traefik/https/tls/#client-authentication-mtls.

As soon as I annotate my ingress with traefik.ingress.kubernetes.io/router.tls.options all I receive from the URL is a 404.

I have confirmed in the dashboard that the TLS option has been associated to the route successfully.

TLSOption + Ingress yaml:

apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
  name: tls-option
  namespace: test
spec:
  clientAuth:
    secretNames:
      - mtls-cert
    clientAuthType: RequireAndVerifyClientCert
  minVersion: VersionTLS12
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
  namespace: test
  annotations:
    traefik.ingress.kubernetes.io/router.tls.options: test-tls-option@kubernetescrd
spec:
  rules:
  - host: host.example.com
    http:
      paths:
      - backend:
          service:
            name: app
            port:
              number: 8080
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
      - host.example.com
    secretName: app-cert

Log:

{"ClientAddr":"1.1.1.1:60622","ClientHost":"1.1.2.2","ClientPort":"60622","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":116987,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":116987,"RequestAddr":"host.example.com","RequestContentSize":0,"RequestCount":19,"RequestHost":"host.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"StartLocal":"2025-04-28T11:00:24.894326798Z","StartUTC":"2025-04-28T11:00:24.894326798Z","entryPointName":"websecure","level":"info","msg":"","time":"2025-04-28T11:00:24Z"}

Any ideas?

Ok having dug further into this, anytime I enable TLS on a route it returns a 404, regardless of TLS options being set.

Further context, my ingress traffic is going through an AWS NLB TLS listener with a default certificate configured. If i alter this to just a TCP listener everything starts to work as expected. For TLS routes and with mTLS options configured.

Is it possible to achieve mTLS with the TLS listener on an AWS NLB?