Use SNI while creating a tunnel to a service

I am in a problem that might be pretty specific but here goes. I am running cloudflared inside a home kubernetes cluster and it has Traefik as an ingress controller that I want to keep using. My plan was to connect the tunnel to the traefik service so that it can handle which application the request goes to. The config was like

tunnel: 22660b4c-f167-stuff
credentials-file: /home/cf-secret/credentials.json
warp-routing:
  enabled: true
ingress:
  - service: https://192.168.*.*

Problem is, my ingresses in traefik are all protected by TLS using Let’s Encrypt certificates. When I create tunnels to the traefik port, all of them fail due to certificate issues. This is more visible if I curl the traefik endpoint with my domain as the Host header

curl -H "Host: my.domain.com" https://192.168.*.*/

After much debugging, I found this issue in github[dot]com/traefik/traefik/issues/7313 which is pretty much the same as my issue and mentions how traefik is unable to determine the server for the request from the Host header as the TLS negotiation happens in the transport layer. This seems to hold true since using curl with resolve works

curl --resolve my.domain.com:443:192.168.*.* https://my.domain.com

I have tried adding ingress.hostname in my config but to no avail. What can I do so that my traefik server understands which virtual server my request is intended for when coming via the tunnel?

So, after debugging cloudflared, I found the solution. i just needed to add

    originRequest:
      originServerName: my.domain.com

to my ingress definition.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.