Hello!
I have marzban installed on my vpc. Try to route traffic by haproxy using ssl_fc_sni. There is my config snippet
frontend https_in
bind *:443 ssl crt /var/lib/marzban/certs/ecc_zimanon.me.cer crt /var/lib/marzban/certs/rsa_zimanon.me.cer
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl is_mrzbadm hdr(ssl_fc_sni) -i mrzbadm.zimanon.me
use_backend mrzb_admin if is_mrzbadm
backend mrzb_admin
mode tcp
server admin_srv 127.0.0.1:8000
Its not working, i have a "This page isn’t working, mrzbadm.zimanon.me didn’t send any data.
and in log file i have
2024-11-05T19:21:22.400170+00:00 marz-de1 haproxy[154782]: 195.133.47.73:59570 [05/Nov/2024:19:21:22.354] https_in~ https_in/ -1 0 SC-- 2/2/0/0/0 SNI:mrzbadm.zimanon.me
but if i try to route all tfaffic over default backend as mrzbadm.zimanon.me - all works fine. Can anybody help me out
Do not use ssl_fc_sni
in this case:
This extracts the Server Name Indication TLS extension (SNI) field from an
incoming connection made via an SSL/TLS transport layer and locally
deciphered by HAProxy.
You need to use req.ssl_sni
instead:
Returns a string containing the value of the Server Name TLS extension sent
by a client in a TLS stream passing through the request buffer if the buffer
contains data that parse as a complete SSL (v3 or superior) client hello
message.
I changed config to
frontend https_in
bind *:443 ssl crt /var/lib/marzban/certs/ecc_zimanon.me.cer crt /var/lib/marzban/certs/rsa_zimanon.me.cer
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend mrzb_admin if { req.ssl_sni -i mrzbadm.zimanon.me }
backend mrzb_admin
mode tcp
server admin_srv 127.0.0.1:8000
still not working. I have in logs
2024-11-06T05:22:24.650272+00:00 marz-de1 haproxy[198043]: 195.133.47.73:37524 [06/Nov/2024:05:22:24.607] https_in~ https_in/<NOSRV> -1/-1/42 0 SC 1/1/0/0/0 0/0