Hi,
I have haproxy running ok for most part, though I have one service which uses ssl and I have problems with it.
When I test it as:
openssl s_client -connect node1.server.com:443 -servername node1.server.com
haproxy redirects correctly returns correct certificate
if tested as
openssl s_client -connect node1.server.com:443
it does not redirect.
Any idea how to fix it?
frontend z-https-in
bind *:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend z-zc_01_https_backend if { req.ssl_sni -i node1.server.com }
use_backend z-zc_02_https_backend if { req.ssl_sni -i node2.server.com }
backend z-zc_02_https_backend
mode tcp
server node11 192.168.199.229:443
backend z-zc_01_https_backend
mode tcp
server node4 192.168.199.132:443
Your HAProxy configuration appears perfectly fine to me. The reason your request is not getting redirected when not using the servername option is because you are not passing an SNI as a part of SSL/TLS handshake.
To provide you some context, SNI allows a server to have multiple SSL certificates installed on the same IP address. In that scenario, if you are not providing the hostname of the server during the handshake process, the server wouldn’t know the correct SSL certificate to use for the connection and would instead use the default certificate.
This is exactly what seems to be happening in your case.
When you use the above command, an SSL handshake is performed to establish a secure connection on node1.server.com port 443 and the certificate for node1.server.com , as specified by servername option, is used.
When you use the above command, an SSL handshake is performed to establish secure connection on node1.server.com port 443. But here the default SSL certificate is used as there is is no SNI specified by servername.
This is why the req.ssl_sni directive is unable to retrieve the hostname based on which the redirection has to be performed and thus the acl “req.ssl_sni -i node1.server.com” returns false.
As a solution, i would recommend you to incorporate the use of servername option in the service using the SSL rather than going for a complex HAProxy configuration.
Shivharsh
Thank you.
I do not have a control of the clients connecting to this service so I am not sure how would I incorporate servername option? Any pointers?
Since that does not seem like a possibility any pointers on how to setup HAProxy to deal with it?
Thank you very much.
robert
Every supported browser on every supported Operating System sends SNI for HTTPS. If you need to support IE6 on Windows XP use cases, then you need to have a dedicated public IP address for each routing decision that you want to take.