Linkerd , traefik and opaque ports

We are using linkerd stable-2.14.8 along with Traefik ingressroutes using ingress mode.( ingress)
we had to use Traefik middleware to add l5d-dst-override header previously when on 2.13.4 version otherwise it was breaking requests.
Now we were getting “Protocol detection timeouts” even for http requests going towards port 80. so we decided to try marking port 80 as opaque.
when we did so via annotation in destination service/globally via linkerd helm chart, and restarted proxies . we started to get 502 bad gateway
It started to work again in following scenarios :

  1. Either on reverting opaque port changes.(removing port 80 from opaque port list).
  2. or removing linkerd proxy injection from traefik ingress controller pods.
  3. or removing l5d-dst-override header added via middleware.

my questions are :

  • is l5d-dst-override really required after upgrading to stable-2.14.8 and traefik controller pods injected with ingress mode ?We don’t want to use routing functionality from Linkerd but would like to get request metrics and mtls.

Documentation on website seems bit confusing to me
( Warning When an ingress is meshed in ingress mode, you must configure it to remove the l5d-dst-override header to avoid creating an open relay to cluster-local and external endpoints.
Note Linkerd versions 2.13.0 through 2.13.4 had a bug whereby the l5d-dst-override header was required in ingress mode, or the request would fail. This bug was fixed in 2.13.5, and was not present prior to 2.13.0.)

  • any hints why it broke on marking port 80 as opaque ?
  • is it normal to get “Protocol detection timeouts” even for http requests going towards port 80 ?

any suggestions/hints would be much appreciated

1 Like

I’m also getting the same error running on stable-2.14.2. It’s been a challenge trying to resolve this issue. Hopefully someone from Linkerd can shine some light on this.