MySQL client cannot connect to database when using SNI routing with TLS #10505
Description
Welcome!
- Yes, I've searched similar issues on GitHub and didn't find any.
- Yes, I've searched similar issues on the Traefik community forum and didn't find any.
What did you do?
For a while Traefik could not route TCP (w/ TLS) requests for MySQL as both the client and server did not support SNI. The only option was to use a wildcard router ('HostSNI(*') which works fine, until you need enable TLS to host multiple MySQL instances using the same entrypoint on Traefik.
This has since been addressed by MySQL and SNI support has been added as of version 8.1.0 (2023/07)
What did you see instead?
Enabling TLS on the router somehow confuse the mysql client (and also anything relying on the mysql library) which ends up hanging, waiting for a specific packet (?)
Example (see docker-compose.yml provided) with TLS enabled on the router, tested with passthrough on, and off:
docker run --rm -it --network host mysql:8.3.0 mysql -u root -h 127.0.0.1 --port 3306 --ssl-mode=REQUIRED
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 0We can confirm Traefik routes the traffic to the right container using ncat, implying that this may just be a protocol issue between the mysql client and traefik (I'm nowhere near qualified enough in either mysql or traefik to say for sure) :
➜ traefik-l4 ncat --ssl 127.0.0.1 3306 -v
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Subject: CN=TRAEFIK DEFAULT CERT
Ncat: Issuer: CN=TRAEFIK DEFAULT CERT
Ncat: SHA-1 fingerprint: 0E49 C6BF 4852 D091 EDB7 2B6F E29A 42EC 64C5 795E
Ncat: Certificate verification failed (self-signed certificate).
Ncat: SSL connection to 127.0.0.1:3306.
Ncat: SHA-1 fingerprint: 0E49 C6BF 4852 D091 EDB7 2B6F E29A 42EC 64C5 795E
I
8.3.0 :;
:I�����O
7M89Me Bcaching_sha2_passwordAnd with TLS disabled on the router, it works fine:
docker run --rm -it --network host mysql:8.3.0 mysql -h 127.0.0.1 --port 3306 --ssl-mode=REQUIRED -u root
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
...Maybe this is a misunderstanding on my part, and that there is additional configuration required. But I guess there may be some work needed on Traefik to improve compatibility with MySQL as there was a similar PR done for PostgreSQL and I would be happy to help diagnose / open a PR if that's the case.
A community forum discussion exists for this issue with people experiencing the same behaviour: https://community.traefik.io/t/multiple-mysql-communication-through-tcp-with-tls-based-on-sni/18936
What version of Traefik are you using?
Version: 3.0.0-rc1
Codename: cheddar
Go version: go1.22.0
Built: 2024-02-13T13:41:20Z
OS/Arch: linux/amd64
What is your environment & configuration?
Minimal reproduction example:
version: '2.1'
services:
traefik:
image: "traefik:v3.0.0-rc1"
container_name: "traefik"
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.mysql.address=:3306"
ports:
- "3306:3306"
- "8089:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
db:
image: 'mysql:8.3.0'
labels:
- "traefik.enable=true"
- "traefik.tcp.routers.db.rule=HostSNI(`*`)"
- "traefik.tcp.services.db.loadbalancer.server.port=3306"
- "traefik.tcp.routers.db.entrypoints=mysql"
- "traefik.tcp.routers.db.tls=true"
environment:
- MYSQL_ROOT_PASSWORD=magento2
- MYSQL_DATABASE=magento2
- MYSQL_USER=magento2
- MYSQL_PASSWORD=magento2(Obviously, to get SNI routing working, this docker would run "behind" a domain name, with proper certificates etc, this is only meant to show that enabling TLS on a TCP router doesn't work with MySQL)
If applicable, please paste the log output in DEBUG level
No response