If I connect locally (via localhost) using sftp to the sftp container via sslh (port 7443), the connection is established without problems. Even if I connect to the domain (test.example.com) via https I get example.com displayed correctly.
But when I try to connect to the sftp container via the domain using sftp (with port 443), the connection fails.
The domain is provided by cloudflare, cloudflare's proxy is disabled.
WinSCP used as sftp client.
As SFTP does not use TLS you cannot utilise HostSNI to route on hostname.
You would have to use a non-tls TCP router traefik.tcp.routers.sshl.HostSNI(`*`)
In fact this is the main problem that I would like to route http and sftp traffic over port 443.
Due to the fact that sftp does not support HostSNI (cause it does not support tls), I should also not be able to use a Traeffic configuration like this:
Since you're wanting to route both SSH and HTTPS through the same port, you may want to consider using a proxy in front of Traefik which is capable of reading the stream to detect the SSL protocol and route based on the value detected.
stream {
upstream ssh {
server 192.0.2.1:22;
}
upstream traefik {
server 192.0.2.2:443;
}
map $ssl_preread_protocol $upstream {
default ssh;
"TLSv1.2" traefik;
}
# SSH and SSL on the same port
server {
listen 443;
proxy_pass $upstream;
ssl_preread on;
}
}
I believe this would be a great feature to add to Traefik, and we're always looking for contributions.
Thanks for contributing this idea. Actually this seems to be a viable solution to the problem, thanks for the link and the example.
In the context of traefik, this would definitely be a very useful feature. @notsureifkevin:
Is this community also storage for new feature ideas - or should I rather switch to GitHub to contribute this idea over there?