-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: TLS - Include passthrough=true
on implicit ports for Traefik example
#3568
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't mind approving this change. Although I'd love it if there was a more consistent config experience with Traefik since several users reported recently having success and failure with different ports 🤔
- "traefik.tcp.routers.smtp-ssl.entrypoints=smtp-ssl" | ||
- "traefik.tcp.routers.smtp-ssl.tls.passthrough=true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Reference:
- https://doc.traefik.io/traefik/routing/routers/#passthrough
- https://traefik.io/blog/traefik-2-tls-101-23b4fbee81f1/#what-about-passthrough
Doesn't require tls=false
, but should hand the traffic over to DMS on port 465 encrypted, and DMS will handle the connection (and presumably certs).
Related:
HostSNI
must either be an explicit value with no wildcard, or only*
.- Ports that use StartTLS instead should not proxy through Traefik for TLS/certs, they need to establish a plain-text connection to DMS ports to upgrade to TLS explicitly, so
.tls=false
is appropriate for those TCP router port configs AFAIK as Traefik does not support StartTLS:
- "traefik.tcp.routers.smtp-ssl.service=smtp-ssl" | ||
- "traefik.tcp.services.smtp-ssl.loadbalancer.server.port=465" | ||
- "traefik.tcp.services.smtp-ssl.loadbalancer.proxyProtocol.version=1" | ||
- "traefik.tcp.routers.imap-ssl.rule=HostSNI(`*`)" | ||
- "traefik.tcp.routers.imap-ssl.entrypoints=imap-ssl" | ||
- "traefik.tcp.routers.imap-ssl.service=imap-ssl" | ||
- "traefik.tcp.routers.esmtp.tls.passthrough=true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you meant to reference the imap-ssl
router not esmtp
?:
- "traefik.tcp.routers.esmtp.tls.passthrough=true" | |
- "traefik.tcp.routers.imap-ssl.tls.passthrough=true" |
I'm not familiar with why the proxyProtocol.version
is sometimes 1 or 2, perhaps due to Postfix / Dovecot support? I understand it's to ensure that the original client IP is handed over correctly so it doesn't get misunderstood as directly from Traefik. But I'm not sure if that's required for each different supported way that Traefik routes to different DMS ports 🤷♂️
Documentation preview for this PR is ready! 🎉 Built with commit: 7fc3def |
passthrough=true
on implicit ports for Traefik example
Description
like discuss in #3563 I have add the passthrought option in reverse proxy doc
Type of change
Checklist:
docs/
)