科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>kubernetes - Traefik TCP Router for RDP, using TLS SNI for routing - Stack Overflow

    kubernetes - Traefik TCP Router for RDP, using TLS SNI for routing - Stack Overflow

    programmeradmin0浏览0评论

    Here's my setup:

    1. I have several namespaces, and some of these contain pods that expose RDP ports.
    2. Port 3389 is block by a firewall, so I have to use another port that maps to port 3389 on the pod.

    Since this is a TCP connection, I tried:

    ---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: rdp-ingress
  namespace: ns1
spec:
  entryPoints:
    - metrics
  routes:
    - match: HostSNI(`ns1.example.domain`)
      services:
        - name: windows
          port: 3389
  tls:
    secretName: tls-cert

    However, it seems that this terminates the TLS connection, so instead, I would need a pass through:

    tls:
  passthrough: true

    So, I configured Windows to use that certificate (no wildcards) for RDP connection, which works (I setup a load balance service to test out RDP, but that requires a separate IP which I need to avoid.)

    That didn't work either.

    This post seems to suggest that I need to use a certresolver, but I don't have any of that setup.

    I'm wondering if there is a way to configure Traefik such that:

    1. It accepts a TCP connection against ns1.example.domain:9100
    2. Use a certificate that already exists which contains san:DNS=ns1.example.domain
    3. Connect to the pod on port 3389, also using TLS.

    I think that the RDP certificates are a little different? I'm also not sure if that affects SNI. I'm also not sure how a passthrough could work:

    1. Traefik needs to know how to direct the incoming TCP connection and does this by looking at the SNI which is contained in the certificate.
    2. TLS hasn't yet been established, nor does Traefik have access to the certificate since that's on the pod. So, how would Traefik know to direct the connection to my pod in the first place?

    Even if there was a certresolver, I don't understand how that would enable SNI.

    In other words, I don't understand how TLS handshake could work in this setup; in my mind, the certificate is required in order to access the SNI. Before the TLS handshake can happen, the TCP connection first needs to be in place, so it feels like a catch 22 if I want Traefik to handle this routing.

    Is there a way to setup this up in Traefik? :)

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论