1
votes

I am trying to get haproxy to work with REQ_SSL_SNI and SSL termination.

Guides I have followed https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ https://stuff-things.net/2016/11/30/haproxy-sni/

Setup: HA-Proxy version 1.6.3 Ubuntu 16.04

Log generates following:

HTTP-in ~ http-in/NOSRV-1/-1/12 0 SC 0/0/0/0/0 0/0

Configuration:

frontend http-in
    bind *:443 ssl crt /etc/haproxy/certs/
    log global
    reqadd X-Forwarded-Proto:\ https
    mode tcp 
    option tcplog
    # wait up to 5 seconds from the time the tcp socket opens
    # until the hello packet comes in (otherwise fallthru to the default)
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }
    acl is_site1 req_ssl_sni -i foo.foobar.com
    acl is_site2 req_ssl_sni -i foobar.com
    use_backend www-foo-foobar if is_site1
    use_backend www-foobar if is_site2

backend www-foo-foobar
    log global
    mode tcp 
    option tcplog
    redirect scheme https if !{ ssl_fc }
    server www-1 127.0.0.1:3030 check

backend www-foobar
    log global
    mode tcp 
    option tcplog
    redirect scheme https if !{ ssl_fc }
    server www-1 127.0.0.1:5000 check

What am I missing?

Can someone point me in the right direction?

1

1 Answers

1
votes

Solved my problem with the following ACL:

acl is_site1 ssl_fc_sni foo.foobar.com