stackoom
  简体   繁体   中英

what is the disadvantage using hostSNI(*) in traefik TCP route mapping

 原文  2020-09-12 05:21:55       kubernetes/ traefik/ traefik-ingress

Question

Now I am using HostSNI( * ) to mapping the TCP service like mysql\\postgresql... in traefik 2.2.1 in Kubernetes cluster v1.18 . beacuse I am in my local machine and did not have a valid certification. This is the config:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
    name: mysql-ingress-tcp-route
    namespace: middleware
spec:
    entryPoints:
        - mysql
    routes:
        - match: HostSNI(`*`)
          services:
            - name: report-mysqlha
                port: 3306

is config works fine in my local machine. But I still want to know the side effect to using HostSNI( ) mapping stratege. What is the disadvantege to using HostSNI( ) not a domain name? Is it possible to using a fake domain name in my local machine?

2 answers

solution1
 1 ACCPTED  2021-03-23 22:55:45

As of the latest Traefik docs ( 2.4 at this time ):

If both HTTP routers and TCP routers listen to the same entry points, the TCP routers will apply before the HTTP routers

It is important to note that the Server Name Indication is an extension of the TLS protocol. Hence, only TLS routers will be able to specify a domain name with that rule. However, non-TLS routers will have to explicitly use that rule with * (every domain) to state that every non-TLS request will be handled by the router.

Therefore, to answer your questions:

  • Using HostSNI(`*`) is the only reasonable way to use an ingressRouteTCP without tls -- since you're explicitly asking for a TCP router and TCP doesn't speak TLS.
    • I've had mixed success with ingressRouteTCP and HostSNI(`some.fqdn.here`) with a tls: section, but it does appear to be a supported configuration as per 2
  • One possible "disadvantage" to this (airquotes because it's subjective) is: This configuration means that any traffic that routes to your entrypoint (ie mysql ) will be routed via this ingressRouteTCP
    • Consider: if for some reason you had another ingressRoute with the same entrypoint , the ingressRouteTCP would take precedence as per 1
    • Consider: if, for example you wanted to route multiple different mysql services via the same entrypoint: mysql , you wouldn't be able to based on this configuration

solution2
 0  2021-12-09 13:57:50

For those needing an example of TCP with TLS passthrough and SNI routing

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test-https
  namespace: mynamespace
spec:
  entryPoints:
  - websecure
  routes:
  - kind: Rule
    match: HostSNI(`my.domain.com`)
    services:
    - name: myservice
      port: 443
  tls:
    passthrough: true

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Traefik Route Prefix traefik ingress not forwarding tcp messages Assign EntryPoint to a TCP Router in Traefik Traefik 2.0 IPWhitelist for TCP - Kubernetes CRD Disadvantage of using emptyDir medium = memory Using traefik as a DaemonSet or as a Deployment? Route traffic to a service in a different namespace with Traefik and Kubernetes mTLS (clientAuth) per Kubernetes Traefik Ingress Route How to create a tcp service in traefik 2.2.1 Mirror traffic using Traefik 2
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM