Load balancing Mysql Connections by Haproxy based on domain names in request

0
votes

I have a service discovery architecture in which i have a haproxy for TCP routing of MYSQL connections based on host names. For that i read in haproxy here https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/.

It tells us it is indeed possible to route TCP connections based on host names received in TCP requests through SNI implementation.

Now i have setup the Haproxy as per the above configuration but i am unable to figure out what changes i need to do in mysql configuration in my springboot application. Also how do i test that this haproxy works through mysql client?

1
mysqlservicetcpdnshaproxy

1 Answers

2
votes

it is indeed possible to route TCP connections based on host names received in TCP requests through SNI implementation.

Yes, this would be true, but only if all of the following conditions are also true:

  • The protocol is one where the client talks first, and
  • TLS is negotiated immediately by the client upon initial connection, and
  • SNI is presented by the client in the TLS handshake.

But with the MySQL client/server protocol, none of these things are true.

In the MySQL client/server protocol, the server talks first¹, identifying itself and its capabilities (including whether it supports TLS), and then the client responds with its own list of capabilities including whether it wishes to negotiate TLS, and finally the TLS negotiation begins, with no privision for SNI because the client and server are already connected.

tl;dr: The MySQL client/server protocol cannot be routed through a proxy of any kind, based on hostnames. The design of the protocol makes this impossible because there is no way for the hostname to be conveyed.

The only option for name-based routing is for the HAProxy to have multiple IP addresses, with an individual frontend or listen section bound to each address, and the hostnames each pointing to one of these addresses.

¹the server talks first refers to which side of the connection sends the first payload after the connection is established. The client begins the process that establishes the connection, of course, but once the channel is open, in the MySQL protocol, the first payload in either direction comes from the server. Other protocols, like SMTP, do the same thing -- an SMTP server starts the conversation with something like 220 mail.example.com ESMTP service ready. This is different from protocols like HTTP, where the client talks first. When the connection is established, the server sends nothing, waiting for the client to send something like GET / HTTP/1.1\r\nHost: example.com\r\n\r\n. In HTTPS, when the connection is established, the server sends nothing, and the client initiates the TLS handshake.