How can I do something convert rules below to Traefik 2.0?
Im doing Dns-over-TLS / HTTPS on port 443
// Haproxy 2.0 conf
frontend front_end_doh_dot_443
mode tcp
bind 0.0.0.0:443
bind :::443
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 1s
tcp-request content accept if tls
use_backend dot-uncensor if { req_ssl_sni -i dot-jp.blahdns.com }
use_backend doh-front if { req_ssl_sni -i doh-jp.blahdns.com }
default_backend dot-uncensor
frontend dot-in-uncensor
mode tcp
bind 127.150.150.150:15000 ssl crt /etc/haproxy/dot-jp.blahdns.pem
default_backend dot-servers-uncensor
frontend doh-in
mode http
bind 127.250.250.250:25000 ssl crt /etc/haproxy/dot-jp.blahdns.pem alpn h2
acl adblock_url path_beg -i /dns-query
use_backend doh-servers-uncensor if adblock_url
backend dot-uncensor
mode tcp
server dot-uncensor-haproxy-ssl 127.150.150.150:15000 check
backend doh-front
mode tcp
server doh-haproxy-ssl 127.250.250.250:25000 check
backend doh-servers-uncensor
mode http
http-response del-header server
http-response del-header x-powered-by
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;"
server doh-proxy-uncensor 127.0.0.1:3000
Thanks
Hi @broenccc, as we might not be haproxy specialists, could you explain the intents of the rules you provided?
By describing the rules in a human language instead of specific tool, we could be able to help you better 
To get started:
You have an example for MongoDB doing the same kind of SNI-based routing, that you can find here: https://github.com/containous/slides/tree/master/demo/traefik-v2/mongo/04-tcp-and-http-routing-mongo.
Both are TCP on port 443
I have 2 scenario
- DNS-over-TLS -> tls://dot-jp.blahdns.com, will terminate the TLS, it will send the query to backend dns server
127.0.0.1 @5353
- DNS-over-HTTPS -> https://doh-jp.blahdns.com/dns-query , will pass ur JSON data to upstream server
127.0.0.1 @3000
I want to use SNI to detect to figure out which backend server need to be pass, on DNS-over-HTTPS use case, If client request with path /dns-query will drop by default. DNS-over-TLS will force SNI too.
A good start:
[providers]
[providers.file]
filename = "./dyn-config.toml"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web-secure]
address = ":443"
[http.routers]
[http.routers.dns-over-https]
rule = "Host(`doh-jp.blahdns.com`)"
service = "dns-over-https-svc"
[http.routers.dns-over-https.tls]
[tcp.routers]
[tcp.routers.dns-over-tcp]
rule = "HostSNI(`doh-jp.blahdns.com`)"
service = "dns-over-tcp-svc"
[tcp.routers.dns-over-tcp.tls]
[tcp.services]
[tcp.services.dns-over-https-svc.loadBalancer]
[[tcp.services.dns-over-https-svc.loadBalancer.servers]]
address = "127.250.250.250:25000"
[tcp.services.dns-over-tcp-svc.loadBalancer]
[[tcp.services.dns-over-tcp-svc.loadBalancer.servers]]
address = "127.250.250.250:15000"
[[tls.certificates]]
certFile = "/etc/haproxy/dot-jp.blahdns.cert"
keyFile = "/etc/haproxy/dot-jp.blahdns.key"
(you can also use YAML if you prefer, please check the doc: https://docs.traefik.io/v2.0/routing/entrypoints/ for this).
1 Like
I got this error
ERRO[2019-08-01T05:37:35Z] the service "dns-over-https-svc@file" does not exist entryPointName=web-secure routerName=dns-over-https@file
Hi,
Problem solved and everything works perfectly. Thanks for your help.
Working conf: https://github.com/ookangzheng/blahdns/tree/master/server-conf/dot-ch/traefik-backup
Best
Edoo
Oh sorry for the typo, I put the https service under [tcp.services] . But I see that you figured it out 