Hi Everybody,
Thank you very much for HAProxy. It’s fantastic software and community.
Could you please help me with the following?
Simplified version of my current configuration:
# /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 4096
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 10s
timeout client 60s
timeout server 60s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend my-http
mode http
option httplog
bind :80
bind :443 ssl strict-sni crt-list /etc/haproxy/haproxy-cert-list.txt
option forwardfor
acl domain-is-firstdomain.com hdr(host) -i firstdomain.com
acl domain-is-seconddomain.com hdr(host) -i seconddomain.com
acl ...
redirect scheme https code 301 if !{ ssl_fc } domain-is-firstdomain.com
redirect scheme https code 301 if !{ ssl_fc } domain-is-seconddomain.com
use_backend http-firstdomain.com if domain-is-firstdomain.com
use_backend http-seconddomain.com if domain-is-seconddomain.com
use_backend ...
default_backend http-unknown
backend http-firstdomain.com
mode http
option forwardfor
server container1 container1:80
backend http-seconddomain.com
mode http
option forwardfor
server container2 container2:80
backend ...
# /etc/haproxy/haproxy-cert-list.txt
/certs/firstdomain.com.pem [ssl-min-ver TLSv1.1] firstdomain.com *.firstdomain.com
/certs/seconddomain.com.pem [ssl-min-ver TLSv1.2] seconddomain.com *.seconddomain.com
This configuration works great. HAProxy in this configuration decrypts HTTPS and sends HTTP to different containers based on requested domain.
Now I’m trying to figure out if it is possible pass-through HTTPS without decryption / without testing certificate for another specified domain.
Based on my understanding I can easily do it by specifying new frontend
with mode tcp
but for that I’d need another public IP or use an alternative port (for example 8443).
The reason I can’t decrypt traffic on HAProxy for one specific domain is that I’d like to run an instance of Syncthing that has to use self-signed certificate. I can easily run it on a different port but I’d prefer to use TCP 443 so I can use Syncthing when ports like 8443 or 22000 (Syncthing default listening port) are blocked
Thank you.
Kind regards,
Ben H.