2. Programming Q&A
  3. kubernetes - Traefik TCP Router for RDP, using TLS SNI for routing - Stack Overflow

kubernetes - Traefik TCP Router for RDP, using TLS SNI for routing - Stack Overflow

admin2025-04-17  2

Here's my setup:

  1. I have several namespaces, and some of these contain pods that expose RDP ports.
  2. Port 3389 is block by a firewall, so I have to use another port that maps to port 3389 on the pod.

Since this is a TCP connection, I tried:

---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: rdp-ingress
  namespace: ns1
spec:
  entryPoints:
    - metrics
  routes:
    - match: HostSNI(`ns1.example.domain`)
      services:
        - name: windows
          port: 3389
  tls:
    secretName: tls-cert

However, it seems that this terminates the TLS connection, so instead, I would need a pass through:

tls:
  passthrough: true

So, I configured Windows to use that certificate (no wildcards) for RDP connection, which works (I setup a load balance service to test out RDP, but that requires a separate IP which I need to avoid.)

That didn't work either.

This post seems to suggest that I need to use a certresolver, but I don't have any of that setup.

I'm wondering if there is a way to configure Traefik such that:

  1. It accepts a TCP connection against ns1.example.domain:9100
  2. Use a certificate that already exists which contains san:DNS=ns1.example.domain
  3. Connect to the pod on port 3389, also using TLS.

I think that the RDP certificates are a little different? I'm also not sure if that affects SNI. I'm also not sure how a passthrough could work:

  1. Traefik needs to know how to direct the incoming TCP connection and does this by looking at the SNI which is contained in the certificate.
  2. TLS hasn't yet been established, nor does Traefik have access to the certificate since that's on the pod. So, how would Traefik know to direct the connection to my pod in the first place?

Even if there was a certresolver, I don't understand how that would enable SNI.

In other words, I don't understand how TLS handshake could work in this setup; in my mind, the certificate is required in order to access the SNI. Before the TLS handshake can happen, the TCP connection first needs to be in place, so it feels like a catch 22 if I want Traefik to handle this routing.

Is there a way to setup this up in Traefik? :)

转载请注明原文地址:http://anycun.com/QandA/1744858401a88613.html

kubernetesTraefik TCP Router for RDP

using TLS SNI for routingStack Overflow