Hello everybody,
i would like to do a frontend HTTPS and frontend TCP over TLS:
i don’t know where i do a mistake, could you help me?
I explain i have one frontend “fe_vip_443_tcp” for analyse TLS request HTTPS or TCP over TLS if HTTPS then i send to backend redirect_for_https (@abns) to redirect to frontend “fe_vip_https”(@abns) that allow to send to http backend.
Like that i will have frontend HTTPS and frontend TCP over TLS
(HA-Proxy version 1.8.3)
My errors in this order:
fe_vip_https/1: SSL handshake failure
fe_vip_443_tcp~ redirect_for_https/loopback-for-tls 191/0/191 0 SD 4/4/0/0/0 0/0
My config file without global and default section
##################################
Please share the entire configuration as preformatted text (mark the configuration and use the </> button), otherwise it’s unreadble.
You seem to do SNI routing in frontend fe_vip_https, however it belongs in frontend fe_vip_443_tcp. Also, you must not terminate SSL in frontend fe_vip_443_tcp, so remove everything after 443 in the bind line.
You have to use req_ssl_sni instead of ssl_fc_sni here. The former is for TCP payload with SSL data going transparently through haproxy (which is the case in frontend fe_vip_443_tcp), the latter is for a SSL session terminated by haproxy, which is the wrong tool for the job you are trying to do.
I understand what you are trying to do, and it is possible with SNI routing, if you have different hostnames in the SAN field of the certificates (they must not overlap with each other). But you have to configure haproxy properly, like explained above.
You cannot do it based on the protocol, because it is encrypted. You can do it based on the SNI value of the client_hello.
You are doing it in your frontend:
acl acl_mail req_ssl_sni mail.labaog.mydom.com.ch
use_backend redirect_for_https if acl_mail
default_backend bk_null
You are telling haproxy here:
if the SNI value is mail.labaog.mydom.com.ch, then route it to backend redirect_for_https, otherwise route to backend bk_null
yes I know but if I could do something like that:
use_backend redirect_for_https if { tcp request have HTTP in the content request)
use_backend redirect_for_tcps if { tcp request have not HTTP in the content request)