I have a working k8s cluster with traefik v3 installed. I’m using traefik’s ingressroute to access my service, and it works if i set up a local DNS.
When trying to access it from outside of my lan, with a dns query from cloudflare, it just hangs.
I can access other services from outside my lan, but these services aren’t behind a traefik proxy, and i connect directly to their IP.
Im using ACME i pfsence to get certifictes, and uses ssl offloading to get unincrypted traffic inside my lan.
I suspect that the host header with the domaine name isn’t sendt to traefik proxy, and thats why traefik wont connect me to the service in k8s cluster.
So what I’m asking, is: Does the incomming hostheader to the HAP-frontend get passed to the backend, and in my case Traefik proxy ?
Regards
/peterweissdk
I have tried to set the hoset header with:
http-request set-header Host fqdn
But that did not work…!
The explanation is a little incomplete.
So you are using cloudflare, which points to your pfsense instance. On this pfsense firewall, you installaed Haproxy which handles the traffic that comes from the Internet including Cloudflare, and then haproxy reverse proxies the traffic to traefik for routing towards your K8S services.
Is that an accurate description of setup?
Now what you are saying is traffic through haproxy works generally, only the traffic towards traefik/k8s hangs?
Is that accurate?
Yes, haproxy will maintain the host header, unless you specifically instruct haproxy to overwrite it.
This will probably require looking at haproxy and traefik configs as well as logs.
I have tried to draw it in a flowchart-kind-of-way 
This is whats not working, but the solution i want.
This works: If i resolve the DNS localy, and bypass pfsense and HAP, no problem.
…and this works: If the HAP-backend point to a internal IP, it works
So Traefik Filters domaine names from the Host header, and matches them with the services defined in the traefik-ingressroute. If i do that by query the dns localy, i can get the service, so the traefik setup is OK… I think!
Also, I can reach the service, if the service has an local ip assigend from the k8s loadbalancer (in my case metallb) So HAproxy works when routing to an static ip.
It’s when Traefik in k8s gets the domaine name from the HAP-backend it fails…, or in my case hangs.
I would suggest you capture the HTTP traffic between haproxy and traefik. Its unencrypted, so you will see exactly what happens.
Of cause…, this was not a HAProxy problem at all, and the host header is past through pfsense and HAProxy just fine.
The problem was a certificate issue, that i fixed, and I can now reach my backend services with https from outside my network.
Thank you for your time
/peterweissdk
1 Like
