Wildcard HostSNI matching hijacks all traffic

georger-angel · February 17, 2020, 10:04am

Creating the following IngressRouteTCP will hijack all traffic:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: app
spec:
  routes:
    - match: HostSNI(`*`)
      services:
        - name: app
          port: 80

This is dangerous if the ingress class is shared between multiple teams.

I don't know the best way address this, perhaps a global flag on traefik deployment to disable wildcard host matching.

Topic		Replies	Views
HostSNIRegexp not working for IngressRouteTCP Traefik v2 kubernetes-crd	2	737	December 20, 2022
IngressRoute to match anything not working Traefik v2 kubernetes-ingress	6	1669	September 21, 2023
How to match any host in IngressRoute? Traefik v2 kubernetes-ingress	1	2546	January 14, 2020
IngressRouteTCP configured however backend service failing Traefik v2 tcp	2	704	March 18, 2020
Does Traefik fully support wildcard hostnames definedin Ingress (networking.k8s.io/v1) Traefik v2 kubernetes-ingress	0	432	February 19, 2021

Wildcard HostSNI matching hijacks all traffic

Related topics