We're migrating from NGINX Ingress to Traefik and encountering issues with wildcard subdomain routing when the Host header is rewritten by an upstream proxy.
Setup:
- Using an
IngressRoutewith a rule like:
Host(`kbsite.titans.document360.net`) && PathPrefix(`/`)
- DNS chain:
*.titans.document360.net → cf-kb-titans (Cloudflare Load Balancer) → kbsite.titans.document360.net (Azure backend pool) → LoadBalancer (Traefik)
* TLS is terminated at Traefik (`entryPoints: [websecure]`)
* The upstream (Cloudflare) sets the `Host` header to `kbsite.titans.document360.net`
* The original subdomain (e.g., `forward.titans.document360.net`) is passed via the `X-Forwarded-Host` header
---
### ⚠️ Issue:
Traefik matches and routes the request based on the `Host` header `kbsite.titans.document360.net`, even though the actual request was sent to `forward.titans.document360.net` (or other wildcard subdomains). The routing rule does not work as expected due to the overridden `Host`.
---
### 🛠 Workaround Attempted:
We tried using middleware to override the `Host` header with the original value from `X-Forwarded-Host`:
customRequestHeaders:
Host: "{{ .Request.Header.Get "X-Forwarded-Host" }}"
However, this did not help Traefik match the request correctly — it still routed based on the rewritten `Host`, not the intended subdomain.
---
### ❓ Questions:
* Is there a recommended way to support wildcard subdomain routing when the upstream rewrites the `Host` header?
* Can Traefik route based on TLS SNI or `X-Forwarded-Host` in HTTP routers (`IngressRoute`)?
* Any best practices for this scenario when using Cloudflare or similar proxies?
Thanks in advance!