Apache (2.4.65) recently changed its behaviour to prevent accessing a virtualhost that doesn’t align with the Host header when not presenting SNI in the request.
It broke some HAProxy setups (at least) when using server <name>:<port> ssl verify none.
It’s easily fixable by adding sni req.hdr(host) to the server definition.
But it pushed me to read the documentation and not everything is clear to me.
My main question is : does HAProxy add SNI to the backend server by itself (without an explicit sni option) in any situation?
My limited experience with SSL between HAProxy and the server (since I mostly use HAProxy on trusted LAN without SSL) lead me to believe that it should do this automatically, but after a few tests it seems that it doesn’t.
Afterwards I figured that it doesn’t add x-forwarded-for either (even if I would have thought that it should do) so the rationale might be the same. If anyone knows, I’m all ears.
Haproxy will always modify the absolute least amount of headers. So unless there is a specific configuration, it will only adjust hop-by-hop headers if needed, for example related to Content-Length vs Chunking and things like that.
Everything else will be passed as-as, in HTTP.
Not in SSL (like SNI), because SSL is terminated, it doesn’t go “through” (like HTTP), unless you are using SSL pass-through, which just forwarding TCP payload then of course SSL is passed through transparently (without any access to HTTP).
So if you want the modify a HTTP header, you have to explicitly configure that.
As haproxy is a reverse proxy, it would be dangerous to make assumptions about what admin expects, without knowing the circumstances.
No, not right now, although there is an ongoing conversation about it: