REQ_SSL_SNI and SSL termination


#1

Hello community!

I am trying to get haproxy to work with REQ_SSL_SNI and SSL termination.

Guides I have followed https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ https://stuff-things.net/2016/11/30/haproxy-sni/

Setup: HA-Proxy version 1.6.3 Ubuntu 16.04

Log generates following:

HTTP-in ~ http-in/NOSRV-1/-1/12 0 SC 0/0/0/0/0 0/0

frontend http-in
bind *:443 ssl crt /etc/haproxy/certs/
log global
reqadd X-Forwarded-Proto:\ https
mode tcp 
option tcplog
# wait up to 5 seconds from the time the tcp socket opens
# until the hello packet comes in (otherwise fallthru to the default)
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl is_site1 req_ssl_sni -i foo.foobar.com
acl is_site2 req_ssl_sni -i foobar.com
use_backend www-foo-foobar if is_site1
use_backend www-foobar if is_site2

backend www-foo-foobar
log global 
mode tcp 
option tcplog
redirect scheme https if !{ ssl_fc }
server www-1 127.0.0.1:3030 check

backend www-foobar
log global
mode tcp 
option tcplog
redirect scheme https if !{ ssl_fc }
server www-1 127.0.0.1:5000 check

What am I missing?

Can someone point me in the right direction?


#2

From HAProxy doc:

ssl_fc_sni : string
This extracts the Server Name Indication TLS extension (SNI) field from an
incoming connection made via an SSL/TLS transport layer and locally
deciphered by haproxy. The result (when present) typically is a string
matching the HTTPS host name (253 chars or less). The SSL library must have
been built with support for TLS extensions enabled (check haproxy -vv).

This fetch is different from “req_ssl_sni” above in that it applies to the
connection being deciphered by haproxy and not to SSL contents being blindly
forwarded.

Looks like your issue.

Have you tried to change your acls in this way:
acl is_site1 ssl_fc_sni app1.example.com
?


#3

Thank you. You really saved my day!