You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I set up Traefik to act as a reverse proxy for a third-party service. The idea is to hide the client IP address from the third party. The network environment this Traefik instance sits in requires the use of a forward proxy for outgoing traffic to the internet. So I configured Traefik like normal, with file provider, and with the environment variable HTTPS_PROXY=https://user@password:forward-proxy.local:443, which worked fine.
I then added the option serversTransports.myTransport.serviceName in hopes of enforcing Host header and SNI check for upstream server.
What did you see instead?
I get an error message similar to below:
{"level":"debug","msg":"'502 Bad Gateway' caused by: proxyconnect tcp: tls: failed to verify certificate: x509: certificate is valid for forward-proxy.local, not third-party.local","time":"2024-01-31T13:50:56Z"}
What version of Traefik are you using?
$ ./traefik version
Version: 2.11.0-rc2
Codename: cheddar
Go version: go1.21.6
Built: 2024-01-24T17:46:22Z
OS/Arch: linux/amd64
Hello @chrillefkr and thanks for bringing this issue to our attention,
After conducting investigations, we have determined that the problem is not with Traefik, but with Go itself. Within the net/http stack, the TLS configuration utilized for connecting to the backend is also employed for connecting to the HTTPS_PROXY.
Consequently, configuring the serverName results in the proxyconnect tcp: tls: failed to verify certificate error because the HTTPS_PROXY certificate does not match the expected serverName.
We will now explore potential solutions to rectify this issue within the Go net/http stack.
Welcome!
What did you do?
I set up Traefik to act as a reverse proxy for a third-party service. The idea is to hide the client IP address from the third party. The network environment this Traefik instance sits in requires the use of a forward proxy for outgoing traffic to the internet. So I configured Traefik like normal, with file provider, and with the environment variable
HTTPS_PROXY=https://user@password:forward-proxy.local:443
, which worked fine.I then added the option
serversTransports.myTransport.serviceName
in hopes of enforcingHost
header and SNI check for upstream server.What did you see instead?
I get an error message similar to below:
What version of Traefik are you using?
From 2.11.0-rc2 release
What is your environment & configuration?
Something like below:
Invocation:
I've created a tarball with tests for reproducing this: https://0x0.st/HDOL.tar.gz
If applicable, please paste the log output in DEBUG level
Debug JSON output from Traefik only:
Full log from test (see tarball):
The text was updated successfully, but these errors were encountered: