I'm running a k3s cluster (1 master + 2 workers) and a docker traefik container on the same host (master). The traefik docker container is actually doing the reverse proxy stuff for tls which is working already on ports 80 and 443 for my different subdomains. I'm trying to get ssh working (for only one subdomain) too but without success so far.
- port 22 is open through ufw allow (on Ubuntu 22.04)
- traefik rules are set as following:
tcp:
routers:
giti-ssh:
entrypoints:
- "https" # tried also with a ssh entryoint
rule: "HostSNI(`*`)"
tls: {}
service: giti-ssh
services:
giti-ssh:
loadBalancer:
servers:
- address: "10.42.0.232:22"
- k3s is running flannel and metallb where the externalIP-range is at 10.42.0.230-250
- ip a shows (the interesting parts):
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:19:ea:c3 brd ff:ff:ff:ff:ff:ff
altname enp11s0
inet "private"/32 metric 100 scope global dynamic ens192
valid_lft 36147sec preferred_lft 36147sec
inet 10.42.0.200/32 scope global ens192
valid_lft forever preferred_lft forever
inet6 "private"/64 scope link
valid_lft forever preferred_lft forever
3: br-5014eb2ffdf2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:7e:ab:72:98 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-5014eb2ffdf2
valid_lft forever preferred_lft forever
inet6 fe80::42:7eff:feab:7298/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:a5:03:77:2c brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
7: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
link/ether 42:1b:d3:49:d3:6b brd ff:ff:ff:ff:ff:ff
inet 10.42.0.0/32 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::401b:d3ff:fe49:d36b/64 scope link
valid_lft forever preferred_lft forever
8: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
link/ether e2:27:27:96:96:7e brd ff:ff:ff:ff:ff:ff
inet 10.42.0.1/24 brd 10.42.0.255 scope global cni0
valid_lft forever preferred_lft forever
inet6 fe80::e027:27ff:fe96:967e/64 scope link
valid_lft forever preferred_lft forever
- the containers are set up and the service for the one for ssh is listening on port 22 as type: LoadBalancer
- I can connect to that container through another service and IP on port 443 from the traefik reverse proxy but am missing something for port 22 and I think it has something to do with the traefik HostSNI or maybe the iptables....
- versions:
docker traefic: latest (just for testing, am going for a tagged version..)
k3s: v1.24.6+k3s1
I can't connect also through 1932/udp (minecraft), so I suppose running traefik on s.th. else then http(s) is harder....
Can s.o. give me a hint on how to achieve this.
Thanks in advance!
jim
