what is the disadvantage using hostSNI(*) in traefik TCP route mapping

Asked 12/9, 2020 at 5:21 Answered 9/12, 2021 at 13:57

Solved kubernetes traefik traefik-ingress

Now I am using HostSNI(*) to mapping the TCP service like mysql\postgresql... in traefik 2.2.1 in Kubernetes cluster v1.18 . beacuse I am in my local machine and did not have a valid certification. This is the config:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
    name: mysql-ingress-tcp-route
    namespace: middleware
spec:
    entryPoints:
        - mysql
    routes:
        - match: HostSNI(`*`)
          services:
            - name: report-mysqlha
                port: 3306

is config works fine in my local machine. But I still want to know the side effect to using HostSNI() mapping stratege. What is the disadvantege to using HostSNI() not a domain name? Is it possible to using a fake domain name in my local machine?

Kobold answered 12/9, 2020 at 5:21 Comment(0)

As of the latest Traefik docs (2.4 at this time):

If both HTTP routers and TCP routers listen to the same entry points, the TCP routers will apply before the HTTP routers

It is important to note that the Server Name Indication is an extension of the TLS protocol. Hence, only TLS routers will be able to specify a domain name with that rule. However, non-TLS routers will have to explicitly use that rule with * (every domain) to state that every non-TLS request will be handled by the router.

Therefore, to answer your questions:

Using HostSNI(`*`) is the only reasonable way to use an ingressRouteTCP without tls -- since you're explicitly asking for a TCP router and TCP doesn't speak TLS.
- I've had mixed success with ingressRouteTCP and HostSNI(`some.fqdn.here`) with a tls: section, but it does appear to be a supported configuration as per 2
One possible "disadvantage" to this (airquotes because it's subjective) is: This configuration means that any traffic that routes to your entrypoint (i.e. mysql) will be routed via this ingressRouteTCP
- Consider: if for some reason you had another ingressRoute with the same entrypoint, the ingressRouteTCP would take precedence as per 1
- Consider: if, for example you wanted to route multiple different mysql services via the same entrypoint: mysql, you wouldn't be able to based on this configuration

Dyarchy answered 23/3, 2021 at 22:55 Comment(1)

"If both HTTP routers and TCP routers listen to the same entry points, the TCP routers will apply before the HTTP routers" did not find this in the official docs it helped me a lot thanks ! – Girth 8/9, 2021 at 13:14

For those needing an example of TCP with TLS passthrough and SNI routing

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test-https
  namespace: mynamespace
spec:
  entryPoints:
  - websecure # maps to port 443 by default
  routes:
  - match: HostSNI(`my.domain.com`)
    services:
    - name: myservice
      port: 443
  tls:
    passthrough: true

Chromaticity answered 9/12, 2021 at 13:57 Comment(0)

Recommended topics

Hot tags