Ignore / pass-through SSL for some domains and terminate / decrypt for other

Hi Everybody,

Thank you very much for HAProxy. It’s fantastic software and community.

Could you please help me with the following?

Simplified version of my current configuration:

# /etc/haproxy/haproxy.cfg
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
        tune.ssl.default-dh-param 4096

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 10s
        timeout client  60s
        timeout server  60s
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend my-http
        mode http
        option httplog
        bind :80
        bind :443 ssl strict-sni crt-list /etc/haproxy/haproxy-cert-list.txt
        option forwardfor

        acl domain-is-firstdomain.com     hdr(host) -i firstdomain.com
        acl domain-is-seconddomain.com    hdr(host) -i seconddomain.com
        acl ...

        redirect   scheme https code 301 if !{ ssl_fc } domain-is-firstdomain.com
        redirect   scheme https code 301 if !{ ssl_fc } domain-is-seconddomain.com

        use_backend   http-firstdomain.com    if domain-is-firstdomain.com
        use_backend   http-seconddomain.com   if domain-is-seconddomain.com
        use_backend ...

        default_backend http-unknown

backend http-firstdomain.com
        mode http
        option forwardfor
        server container1 container1:80

backend http-seconddomain.com
        mode http
        option forwardfor
        server container2 container2:80

backend ...
# /etc/haproxy/haproxy-cert-list.txt
/certs/firstdomain.com.pem      [ssl-min-ver TLSv1.1] firstdomain.com *.firstdomain.com
/certs/seconddomain.com.pem     [ssl-min-ver TLSv1.2] seconddomain.com *.seconddomain.com

This configuration works great. HAProxy in this configuration decrypts HTTPS and sends HTTP to different containers based on requested domain.

Now I’m trying to figure out if it is possible pass-through HTTPS without decryption / without testing certificate for another specified domain.

Based on my understanding I can easily do it by specifying new frontend with mode tcp but for that I’d need another public IP or use an alternative port (for example 8443).

The reason I can’t decrypt traffic on HAProxy for one specific domain is that I’d like to run an instance of Syncthing that has to use self-signed certificate. I can easily run it on a different port but I’d prefer to use TCP 443 so I can use Syncthing when ports like 8443 or 22000 (Syncthing default listening port) are blocked

Thank you.

Kind regards,
Ben H.

Check the following post for a TCP frontend routing through different backends based on SNI and ultimately SSL-terminating it on another dedicated frontend:

You can use the same approach to SSL terminate some domains and passthrough others.

So I can loopback it to another frontend and that another frontend might have mode tcp. That’s a magic. Thank you Lukas. I’ll test it and report back.