I am currently having two different frontends, both I want to offer on ssl 443. However each front end has different acls, http-response set-headers. I think the default[1] to redirect to backends is somethink like this.
frontend env_ssl_frontend
bind *:443
mode tcp
option tcplog
tcp-request inspect-delay 10s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend bk_app1 if { req.ssl_sni -m end app1.domain.com }
use_backend bk_app2 if { req.ssl_sni -m end app2.domain.com }
use_backend bk_app3 if { req.ssl_sni -m end app3.domain.com }
But I think this would mean I cannot separate acl’s for different backends, or am I mistaken here? Or is there another way to configure this? I was thinking of doing maybe an port redirection, but that does not really look nice on the client side.
So basically I would like to have a frontend configuration that is similar to eg. webservers. Where you have a seperate config for a ‘domain’ identified by sni name and certificate.
Different ACLs, response headers etc can all be combined with any other ACL, you do not need a different frontend for that.
There are some cases where you need to divide the two, but that is very rarely an issue.
Do you need to TLS passthrough some traffic while terminating TLS on some other traffic? That’s a typical use-case for this.
Yes, but whether you really need this is the real question. A lot of things can be configured without this, for example the example in question does not consider that with crt-list we can already configure ssl client certification per certificate, so this is not needed in this case anymore.
Yes, there are many options. To answer the specific question we need to know the actual use-case, otherwise.
If its just about HTTP options like http level ACLs and headers only, then you can probably use mode http in the first frontend layer, and content-switch to your second frontend layer via host header. This way it works for both HTTP and HTTPS the same way.
If this is also about having a specific certificate reffered to in the same frontend, then you need to go the SNI route, with a frontend layer in mode tcp and SNI content-switching to a secondary frontend layer. Hopefully for HTTP you can just need to redirect to HTTPS, otherwise you need to replicate it there as well.
No, a certificate does not belong there, it’s wrong (because you are not terminating TLS there).
Yes, it’s a free string, abns is for abstract namespace under linux, which as opposed to unix domain sockets are just free strings without permissions or paths so it’s easier to handle.
However you could replace those sockets with a port on localhost. Like you could just replace abns@webchat with 127.0.0.1:500 and abns@exchange with 127.0.0.1:501, it would be the same thing (other than IP sockets are easier to handle on reloads, so when you are reloading a lot you should probably stick to those).