Hello HAProxy community,
I have HAProxy acting as Load Balancer to a Kubernetes Cluster. I have a wildcard DNS entry for my “public” IP address on the HAProxy. I also have a wild card TLS Certificate.
When I deploy a new application on Kubernetes it appears as new_application.mykyubdomain.com. Internally I access this no problem. This is combination of wild card DNS, TLS SNI and HAProxy magic working.
I would like to block a single application (TLS SNI) on the HAProxy. So my understanding is I need to inspect the SNI to see which application (TLS SNI) I am looking at and block it using tcp-request content reject.
This a snippet from the frontend section of my HAProxy settings for Kubernetes Cluster.
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl stop_app_ssl req_ssl_sni new_application1.mykyubdomain.com
tcp-request content reject if stop_app_ssl
This is all in mode tcp as it is TLS traffic. The TLS termination is on the Kubernetes Cluster. I am not off loading the encryption to the HAProxy.
I have set-up Wireshark and can the SNI “new_application1.mykyubdomain.com” in TLS extension SNI when I connect to new_application1 but HAProxy does not block the traffic.
I have the following version of HAProxy running on rhel 7.
What am I doing wrong? Any advice much appreciated. If I have not made anything clear please ask.
[root@rhoslb1 haproxy]# haproxy -vv
HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau willy@haproxy.org
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Best Regards,
Kevin.