MWI: tbot's `application-tunnel` service doesn't work as expected behind L7 load balancers

[timothyb89]

Expected behavior:

Application tunnels should work properly if Teleport is run behind an L7 load balancer, such as an AWS ALB.

Current behavior:

Running a plain app tunnel when Teleport is behind an L7 LB (specifically, an AWS ALB) starts as expected:

$ tsh start application-tunnel ... 

...but all requests to the the resulting application return the Teleport login page, indicating mTLS credentials were not passed back to Teleport as expected.

The bot itself is able to authenticate properly and performs necessary connection upgrades to establish a connection to the auth service. Only app tunnels don't work - though other resource proxy types may also be broken.

Bug details:

• Teleport version: tbot v18.3.2
• Recreation steps
• Debug logs

[strideynet]

Just tested against master and I don't seem to be able to reproduce - I'm using caddy to act as a L7 LB:

╰─➤  curl http://localhost:9485/
GET / HTTP/1.1
Host: 127.0.0.1:59870
Accept: */*
Accept-Encoding: gzip
Teleport-Jwt-Assertion: redacted
User-Agent: curl/8.7.1
X-Forwarded-For: 192.168.64.1
X-Forwarded-Host: localhost:9485
X-Forwarded-Port: 9485
X-Forwarded-Proto: https
X-Forwarded-Server: grus.net.stellar.haus
X-Forwarded-Ssl: on
X-Real-Ip: 192.168.64.1

TBot Logs:

2025-12-09T13:55:30.383Z DEBU [LOCALPROX] Accepted downstream connection alpnproxy/local_proxy.go:201
2025-12-09T13:55:30.383Z DEBU [LOCALPROX] checking local proxy certs alpnproxy/local_proxy.go:462
2025-12-09T13:55:30.392Z DEBU  Performing ALPN WebSocket connection upgrade. hostname:leaf.tele.ottr.sh:443 client/alpn_conn_upgrade.go:268

TBot:

  - type: application-tunnel
    listen: tcp://0.0.0.0:9485
    app_name: dumper

Caddy:

*.leaf.tele.ottr.sh leaf.tele.ottr.sh {
	tls {
		dns cloudflare redacted
	}
	reverse_proxy {
		to https://127.0.0.1:3080
		transport http {
			tls
			tls_insecure_skip_verify
			tls_server_name leaf.tele.ottr.sh
		}
	}
}