I have a VM0 where Traefik is running as a docker and two target system VM1 and VM2 which both have a webserver running.
All domainA.com requests should go to VM1 via TCP router and tls passthrough, because this webservice is handling the certificates itself.
All domainB.com requests should go to VM2 via http router and Traefik should generate the tls certs for this domain.
My problem now is, as soon as I add any tls config to the http router, it seems tcp passthrough doesn't work anymore. In the logs I see this messages:
time="2020-03-15T21:46:18Z" level=debug msg="Serving default certificate for request: \"subdomain.DomainA.com\"" time="2020-03-15T21:46:18Z" level=debug msg="http: TLS handshake error from 192.168.1.116:55103: remote error: tls: unknown certificate" time="2020-03-15T21:46:18Z" level=debug msg="Serving default certificate for request: \"subdomain.DomainA.com\"" time="2020-03-15T21:46:18Z" level=debug msg="http: TLS handshake error from 192.168.1.116:55104: remote error: tls: unknown certificate"
And if I visit the website through Traefik, it shows me a self signed certificate from Traefik.
If I remove then all tls settings under the http router, passthrough is working again.
My Dynamic File:
http:
routers:
HTTProuter0:
rule: "HostRegexp(`{subdomain:[a-z]+}.domainA.com`)"
service: "domainA"
entryPoints:
- "websecure"
tls:
certResolver: "myresolver"
domains:
- main: "domainA.com"
sans:
- "*.domainA.com"
services:
domainA:
loadBalancer:
servers:
- url: "https://192.168.1.13:4433"
tcp:
routers:
TCProuter0:
rule: "HostSNI(`*`)"
service: "domainB"
entryPoints:
- "websecure"
tls:
passthrough: true
services:
domainB:
loadBalancer:
servers:
- address: "192.168.1.11:443"
My static file:
serversTransport:
insecureSkipVerify: true
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
spain:
address: ":4443"
certificatesResolvers:
myresolver:
acme:
email: email@email.com
storage: /etc/traefik/acme/acme.json
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 60
resolvers:
- "1.1.1.1:53"
- "8.8.8.8:53"
api:
insecure: true
dashboard: true
providers:
docker: {}
file:
directory: /etc/traefik/config
watch: true
log:
filePath: /etc/traefik/traefik.log
level: DEBUG
I'm stuck at this problem now for hours. I am not sure if it is a bug or if I do something wrong?
Any help would be very appreciated!
Thanks a lot
I found the problem. Unbelievable I wasted so much time for this... It seems Traefik does not support wildcards in combination with domains in HostSNI.
HostSNI(`*`) => Works
HostSNI(`*.mydomain.com`) => DOESN'T WORK !!!!
HostSNI(`www.mydomain.com`,`web.mydomain.com`) => Work
So I added every domain explicit and now it works.