52 lines
1.7 KiB
YAML
52 lines
1.7 KiB
YAML
# SNI TLS pass-through (Layer 4) to the Windows backends.
|
|
#
|
|
# Traefik does NOT terminate TLS for these — it reads the SNI from the TLS
|
|
# ClientHello and forwards the raw connection to the backend, which terminates
|
|
# TLS itself and performs its own NATIVE auth (Kerberos / NTLM / Negotiate).
|
|
# This is the whole point: it preserves Windows-Integrated auth that an
|
|
# HTTP-terminating proxy (NPM/openresty) breaks.
|
|
#
|
|
# Requirements:
|
|
# - Clients MUST send SNI (all modern Outlook / ActiveSync / Work Folders do).
|
|
# - Each backend must present a cert valid for its own hostname(s):
|
|
# serverfile -> files.osk.team + workfolders.osk.team (LE, 9b279156…)
|
|
# servermail -> mail.osk.team + autodiscover.osk.team (Exchange cert)
|
|
# serverwsus -> kdcproxy.osk.team (self-signed, 02B9ADB3…)
|
|
|
|
tcp:
|
|
routers:
|
|
workfolders:
|
|
entryPoints: ["websecure"]
|
|
rule: "HostSNI(`workfolders.osk.team`)"
|
|
tls:
|
|
passthrough: true
|
|
service: serverfile-wf
|
|
|
|
exchange:
|
|
entryPoints: ["websecure"]
|
|
rule: "HostSNI(`mail.osk.team`, `autodiscover.osk.team`)"
|
|
tls:
|
|
passthrough: true
|
|
service: servermail-ex
|
|
|
|
kdcproxy:
|
|
entryPoints: ["websecure"]
|
|
rule: "HostSNI(`kdcproxy.osk.team`)"
|
|
tls:
|
|
passthrough: true
|
|
service: serverwsus-kdc
|
|
|
|
services:
|
|
serverfile-wf:
|
|
loadBalancer:
|
|
servers:
|
|
- address: "192.168.0.11:443" # serverfile — Work Folders
|
|
servermail-ex:
|
|
loadBalancer:
|
|
servers:
|
|
- address: "192.168.0.6:443" # servermail — Exchange 2019
|
|
serverwsus-kdc:
|
|
loadBalancer:
|
|
servers:
|
|
- address: "192.168.0.7:443" # serverwsus — KDC proxy
|