I have configured my https-front to route by domain
use_backend back1 if { req_ssl_sni -i back1 .com }
use_backend back2 if { req_ssl_sni -i back2 .com }
all working nicely once we told the iis-servers to require SNI
Now I want to configure the backend checks to check with SNI, but it keeps reporting ( layer6 invalid response: connection error during ssl handshake (connection reset by peer))
my config for backend is:
balance roundrobin
acl tls req.ssl_hello_type 1
option ssl-hello-chk
server srv1 1 .2 .3 .4:443 check check-ssl verify none sni str(back1 .com)
server srv2 1 .2 .3 .5 :443 check check-ssl verify none sni str(back1 .com)
I’ve tried with sni ssl_fc_sni, but same result.
I have compiled with ssl-support - host os is Centos 7, and haproxy version is 1.8.13
what am I doing wrong here?
To test connection I have tried ‘openssl s_client -connect 1 .2 .3 .4:443 - servername back1 .com’, and it connects perfectly well
I should probably mention that certifcates are valid and issued by GeoTrus Inc.
Frontend decisions such as SNI routing don’t have anything todo with your backend requiring SNI. You may have come to the wrong conclusion here.
A part from the fact the you should set the flag to require SNI on the backend server, here is what’s wrong:
option ssl-hello-chk simulates a obsolete SSLv3 client_hello and must be removed
if your backend requires SNI and you are using SSL level health-check like you do, you also need to manually specify the SNI value used for the health check, otherwise haproxy does not have the information and the health-check fails. Use check-sni
ok - the ssl-hello-chk was removed, and check-sni inserted, and now I get a very nice ‘layer 6 check passed’.
I am aware the frontend-routing has nothing to do with backend checks - it was just to say that the whole SNI part is enabled and working. - thanks a lot
Ok, good. I realized that I omitted a “not” above: I meant to say that you should NOT require SNI on your backend - because it only complicates everything.
