Forwarding TCP traffic from Traefik to a Docker container

Question

I currently have a Traefik instance that's being run using the following. It works fine forwarding HTTP connections to the appropriate backends.

  services_lb:
    image: traefik:v2.2
    cmd: |
      --entrypoints.web.address=:80
      --entrypoints.websecure.address=:443
      --entrypoints.web.http.redirections.entryPoint.to=websecure
      --entrypoints.web.http.redirections.entryPoint.scheme=https
      --entrypoints.web.http.redirections.entrypoint.permanent=true
      --entrypoints.matrixfederation.address=:8448
      --entrypoints.prosodyc2s.address=:5222
      --entrypoints.prosodys2s.address=:5269
      --providers.docker
      --providers.docker.constraints=Label(`lb.net`,`services`)
      --providers.docker.network=am-services
      --certificatesresolvers.lec.acme.email=notify@battlepenguin.com
      --certificatesresolvers.lec.acme.storage=/letsencrypt/acme.json
      --certificatesresolvers.lec.acme.tlschallenge=true
      --entryPoints.web.forwardedHeaders.trustedIPs=172.50.0.1/24
    ports:
      - 80
      - 443
      # Matrix
      - 8448
      # XMPP
      - 5222
      - 5269

My web and Matrix federation connections work fine as they're all HTTP. But for Prosody (XMPP) I need to forward 5222 and 5269 directly without any HTTP routing. I configured the container like so:

  xmpp:
    image: prosody/prosody:0.11
    network:
      - services
      - database
    labels:
      lb.net: services
      traefik.tcp.services.prosodyc2s.loadbalancer.server.port: "5222"
      traefik.tcp.services.prosodys2s.loadbalancer.server.port: "5269"
      traefik.http.routers.am-app-xmpp.entrypoints: "websecure"
      traefik.http.routers.am-app-xmpp.rule: "Host(`xmpp.example.com`)"
      traefik.http.routers.am-app-xmpp.tls.certresolver: "lec"
      traefik.http.services.am-app-xmpp.loadbalancer.server.port: "5280"
    volumes:
      - prosody-config:/etc/prosody:rw
      - services_certs:/certs:ro
      - prosody-logs:/var/log/prosody:rw
      - prosody-modules:/usr/lib/prosody-modules:rw

With the tcp services, I still can't get Traefik to forward the raw TCP connections to this container. I've tried removing the --entrypoints from the Traefik instance and of course, Traefik stopped listening on those ports. I assumed the traefik.tcp.service definition would cause that entrypoint to switch to a TCP passthrough mode, but that isn't the case. I couldn't see anything in the Traefik documentation on putting the entrypoint itself into TCP mode instead of HTTP mode.

How do I pass the raw TCP connection from Traefik to this particular container using labels on the container and CLI options for Traefik?

Answer 1

I figured it out. You can't use any standard Traefik TLS offloading due to the differences in how Traefik and Prosidy handle TLS. I had to disable TLS entirely and use the special HostSNI(*) rule below to allow straight pass throughts. I was also missing the routers that connect the Traefik entrypoints to the TCP services.

        labels:
          lb.net: services
          # client to server
          traefik.tcp.routers.prosodyc2s.entrypoints: prosodyc2s
          traefik.tcp.routers.prosodyc2s.rule: HostSNI(`*`)
          traefik.tcp.routers.prosodyc2s.tls: "false"
          traefik.tcp.services.prosodyc2s.loadbalancer.server.port: "5222"
          traefik.tcp.routers.prosodyc2s.service: prosodyc2s
          # server to server
          traefik.tcp.routers.prosodys2s.entrypoints: prosodys2s
          traefik.tcp.routers.prosodys2s.rule: HostSNI(`*`)
          traefik.tcp.routers.prosodys2s.tls: "false"
          traefik.tcp.services.prosodys2s.loadbalancer.server.port: "5269"
          traefik.tcp.routers.prosodys2s.service: prosodys2s
          # web
          traefik.http.routers.am-app-xmpp.entrypoints: "websecure"
          traefik.http.routers.am-app-xmpp.rule: "Host(`xmpp.example.com`)"
          traefik.http.routers.am-app-xmpp.tls.certresolver: "lec"
          traefik.http.services.am-app-xmpp.loadbalancer.server.port: "5280"