Sorry for being dense, but I just cannot figure out how to use the SNI to validate the back end.
Here’s a specific example using an SNI test site:
option httpchk GET /
server velox bob.sni.velox.ch:443 ca-file /etc/haproxy/GeoTrustSSLCA.crt check-ssl ssl resolvers dns force-tlsv12 verify required sni str(bob.sni.velox.ch) fall 1 weight 100 observe layer7 check
The above line passes the health check (layer 7).
If I change the above line to include an invalid SNI:
sni str(bob.sni.velox.ch123)
It still reports a successful healthcheck, which would indicate HAProxy is not checking the SNI, though it may be sending it.
If I revert to the original and add verifyhost, I get a failure on layer6 – SSL handshake failure.
server velox bob.sni.velox.ch:443 ca-file /etc/haproxy/GeoTrustSSLCA.crt check-ssl ssl resolvers dns force-tlsv12 verify required sni str(bob.sni.velox.ch) verifyhost bob.sni.velos.ch fall 1 weight 100 observe layer7 check
What I cannot figure out is how to do the verify on the SNI name itself.
–Ray