Unable to Connect to MSSQL via Traefik on Port 1433, Other Services Work

0

I have a Dockerized setup using Traefik as a reverse proxy, and I'm unable to connect to my MSSQL service on port 1433 from outside the host. However, I can connect to the MSSQL instance from inside the host without any issues. Other services like Grafana, MinIO, and Portainer work perfectly when accessed externally.

Here’s my setup:

This is my docker

services:
  mssql:
    build:
      context: .
      dockerfile: compose/mssql/Dockerfile
    container_name: mssql
    hostname: mssql
    platform: linux/amd64
    env_file:
      - ./.env
    ports:
      - "1433:1433"
    volumes:
      - ./data/mssql/data:/var/opt/mssql/data
      - ./data/mssql/log:/var/opt/mssql/log
      - ./compose/mssql/config/init.sql:/var/opt/mssql/init.sql:ro
      - ./compose/mssql/config/mssql.conf:/var/opt/mssql/mssql.conf:ro
      - ./certs:/etc/letsencrypt:ro
    networks:
      - internal_network
    restart: unless-stopped

  traefik:
    image: traefik:v2.10
    container_name: traefik
    hostname: traefik.test
    ports:
      - "80:80"
      - "443:443"
      - "1433:1433"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./compose/traefik/config/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./certificates:/etc/traefik/ssl/:ro
    networks:
      - internal_network
      - public_network
    restart: unless-stopped

This is my traefik config

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
  mssql:
    address: ":1433"

tcp:
  routers:
    mssql:
      rule: "HostSNI(`mssql-test.example.com`)"
      entryPoints:
        - mssql
      service: mssql-service
      tls:
        passthrough: true

  services:
    mssql-service:
      loadBalancer:
        servers:
          - address: mssql:1433

What Works MSSQL can be accessed from inside the host using tools like sqlcmd.

Three potential issues:

  1. Traefik expects a static (entrypoints, providers) and separate dynamic (routers, services, TLS) config
  2. You assume that mssql supports TLS with HostSNI, is that the case? If not use HostSNI(`*`) for dump TCP router
  3. Did you load the TLS certs in Traefik? Because to use HostSNI with a domain name, Traefik needs the cert to decrypt the request. If not use HostSNI(`*`) and do not activate any TLS in Traefik (like passthrough: true), or Traefik will create and use a custom cert, which your client won’t like

Compare to simple Traefik TCP example.