New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Traefik cannot process CONNECT http request method. #9708
Comments
For the maintainers - we're currently on |
Hello @OrvilleQ @prashant-warrier-echelonvi, Can you provide the full debug logs of the Traefik instance? As an alternative, it would also be great if you can share with us a short reproducible case (e.g.: a docker-compose) to help us to identify the issue. |
@rtribotte Sorry for the late reply. Inside this zip file is the yaml to deploy application that I use and how to connect to it. Full debug log might have to wait till tonight if I have time, quiet busy these days. |
Here is a full debug log. @rtribotte The log should me I masked some personal related data hope you don't mind. |
Hello @OrvilleQ, At glance, I maintain that the access logs indicate that the 404 response is produced by Traefik because no router matched the request. I noticed that the router |
@rtribotte Thanks for your reply. I'm pretty sure the client is issuing a TLS request since the client does not support plain http for security reason. Also I've already provide the config file of the client and how to set it up in connect.zip |
If you take a closer look at the spec (RFC 9110, section 9.3.6), I'm sure you'll realize that Traefik or any other reverse proxy cannot route CONNECT requests based only on the Host:
Because the So the fact is that it's not that Traefik cannot process CONNECT requests, but that you're using it wrong. I believe instead of dedicating a separate TCP port to your service, you can use a SNI-based TCP router (of course, that also requires TLS to work):
Or, if you insist on using an HTTP router, then I think you can only do routing based on the request path or request headers. In any case, you can't achieve your purpose with Host. So I believe this is not a bug. |
any updates on this? |
Hello, @OrvilleQ Sorry for the late answer. Traefik is forwarding CONNECT as is, and do not act as an HTTP proxy itself. Making Traefik an HTTP Proxy would defeat the reverse proxy configuration and would let the client target any backend, which is not desirable and could be a vulnerability. On the other hand, reverse proxying an HTTP proxy, by making Traefik able to act as the client initiating the tunnel with an HTTP proxy backend, is not possible with a layer 7 reverse proxy (HTTP routers). We are wondering if it would be better to refuse CONNECT HTTP method and document it. |
Hello, We conclude this to be a bug and it would be better to refuse HTTP Don't forget to check out the contributor docs and link the PR to this issue. |
Welcome!
What did you do?
I was trying to deploy an applications which need
CONNECT
http request method to work, using Traefik as it's TLS layer and reverse proxy.The application expose h2c on port 8080, and I was using this IngressRoute:
What did you see instead?
PUT
orGET
the server, I'll see that the traffic been redirect to the application I deployed and the application reported a bug since it requireCONNECT
to work.Log from Traefik:
Log from the application:
CONNECT
the server, I'll see that the traffic been dropped to nowhere.Log form Traefik:
no log from the application.
Method(`CONNECT`)
to thematch
section following suggestion from here ,PUT
orGET
will get 405 butCONNECT
still got dropped.Rule:
Log from Traefik:
What version of Traefik are you using?
What is your environment & configuration?
Traefik helm chart with default values on k3s v1.26.1+k3s1 using cilium and metallb.
If applicable, please paste the log output in DEBUG level
See above.
The text was updated successfully, but these errors were encountered: