Traefik 2.0 TLS TCP passthrough

Question

I have a VM0 where Traefik is running as a docker and two target system VM1 and VM2 which both have a webserver running.

All domainA.com requests should go to VM1 via TCP router and tls passthrough, because this webservice is handling the certificates itself.

All domainB.com requests should go to VM2 via http router and Traefik should generate the tls certs for this domain.

My problem now is, as soon as I add any tls config to the http router, it seems tcp passthrough doesn't work anymore. In the logs I see this messages:

time="2020-03-15T21:46:18Z" level=debug msg="Serving default certificate for request: \"subdomain.DomainA.com\"" time="2020-03-15T21:46:18Z" level=debug msg="http: TLS handshake error from 192.168.1.116:55103: remote error: tls: unknown certificate" time="2020-03-15T21:46:18Z" level=debug msg="Serving default certificate for request: \"subdomain.DomainA.com\"" time="2020-03-15T21:46:18Z" level=debug msg="http: TLS handshake error from 192.168.1.116:55104: remote error: tls: unknown certificate"

And if I visit the website through Traefik, it shows me a self signed certificate from Traefik.

If I remove then all tls settings under the http router, passthrough is working again.

My Dynamic File:

http:
  routers:

    HTTProuter0:
      rule: "HostRegexp(`{subdomain:[a-z]+}.domainA.com`)"
      service: "domainA"
      entryPoints:
       - "websecure"
      tls:
        certResolver: "myresolver"
        domains:
         - main: "domainA.com"
           sans:
           - "*.domainA.com"
  services:

    domainA:
      loadBalancer:
        servers:
          - url: "https://192.168.1.13:4433"

tcp:
  routers:
    TCProuter0:
      rule: "HostSNI(`*`)"
      service: "domainB"
      entryPoints:
       - "websecure"
      tls:
       passthrough: true

  services:
    domainB:
      loadBalancer:
        servers:
         - address: "192.168.1.11:443"

My static file:

serversTransport:
  insecureSkipVerify: true

entryPoints:
  web:
    address: ":80"

  websecure:
    address: ":443"

  spain:
    address: ":4443"

certificatesResolvers:
  myresolver:
    acme:
      email: [email protected]
      storage: /etc/traefik/acme/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 60
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

api:
 insecure: true
 dashboard: true

providers:
 docker: {}
 file:
  directory: /etc/traefik/config
  watch: true

log:
  filePath: /etc/traefik/traefik.log
  level: DEBUG

I'm stuck at this problem now for hours. I am not sure if it is a bug or if I do something wrong?

Any help would be very appreciated!

Thanks a lot

Answer 1

I found the problem. Unbelievable I wasted so much time for this... It seems Traefik does not support wildcards in combination with domains in HostSNI.

HostSNI(`*`) => Works

HostSNI(`*.mydomain.com`) => DOESN'T WORK !!!!

HostSNI(`www.mydomain.com`,`web.mydomain.com`) => Work

So I added every domain explicit and now it works.