HAProxy community

Check health on backend TLS sites that requires SNI

Hi everyone,

I’m trying to setup a cluster of two Microsoft ADFS servers (Federation service for SAML authentication), behind two different HAproxy servers, which receives incoming connections from two differents ISPs.

So, we defined a frontend that bind the connections on the ADFS service, which is running on port 443 with a specific name, that matches the one specified in TLS certificate used for the role. We cannot access the auth page of ADFS without specifying that name, that’s not configureable like IIS.

acl is_adfs hdr(host) adfs.contoso.com

Then, the backend is configured like:

backend redirect_ADFS
   mode http
   option ssl-hello-chk
   option httpchk
   balance leastconn
   default-server port 443 inter 2s downinter 5s rise 3 fall 2
   server adfs0 192.168.11.100 ssl crt /certs/haproxy/adfs.pem verify none ssl_fc_sni
   server adfs1 172.16.11.100 ssl crt /certs/haproxy/adfs.pem verify none ssl_fc_sni

As you can see, on the server lines, we forward the connection to the servers with the SNI we got from the request. It works like that.

Thus, we need to check the health on that two servers, to make the failover works properly. I’m not able to setup the “check” options : everytime the check seems to be done on the IP/port. As i told firstly, if we try to connect directly on that IPs (ex. 192.168.11.110) on port 443, we got a reset. That’s normal.

So, the check must be done on the SNI adfs.contoso.com, and i can’t find anything about it on the documentations. Or maybe i’m not enough good to assemble the required haproxy bricks together and make that work.

Thanks in advance for your help!
Arnaud

Add check-sni adfs.contoso.com on the server line, as per:

https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.2-check-sni