Send-proxy-v2 / send-proxy-v2-ssl with SNI

tomeryakir · June 30, 2021, 1:21pm

Hi,

I’m trying to setup the following configuration:

client → (SSL + SNI) → HAProxy → (SSL + retain original SNI + proxy protocol) → backend service

I’ve tried with the following configuration:

frontend haproxy
    bind 127.0.0.1:9000 strict-sni ssl crt server.pem
    mode tcp
    use_backend mybackend

backend mybackend
    mode tcp
    server atlasproxy_server snihostname:9001 ssl ca-file ca.pem check-sni snihostname sni str(snihostname) send-proxy-v2-ssl check

Client connections fail as HAProxy isn’t passing through the SNI to the backend.
If I omit the send-proxy-v2-ssl option, SNI is sent, but then I’m not getting the proxy protocol header on the backend.
How can I set up such configuration?

Thanks!

lukastribus · June 30, 2021, 3:50pm

What’s the backend, how is it configured, and does it support the proxy protocol, version 1 and/or version 2.

You don’t need the proxy protocol to pass the SNI value. You can use SNI to pass the SNI value. I assume you need the proxy protocol for the original IP address, in this case, proxy protocol version 1 is enough, which is more likely supported by your backend server.

tomeryakir · July 4, 2021, 8:57am

Thanks! This ended up being a bug in the backend.

Topic		Replies	Views
Set SNI based on the Host header on the outgoing TLS connections Help!	6	681	August 7, 2023
Set SNI Haproxy Passthrough Help!	1	685	October 1, 2018
[SOLVED] One IP, fistful of domains, pack of subdomains and HAProxy in front of it Help!	12	2599	November 4, 2018
HAProxy 1.6, Backend SNI not working in my implementation Help!	2	3449	June 12, 2016
Setting up HAproxy 2.4 with SNI and backend servers using wildcard certificates Help!	1	986	May 30, 2021

Send-proxy-v2 / send-proxy-v2-ssl with SNI

Related Topics