Set SNI Haproxy Passthrough

sarath · October 1, 2018, 6:40am

Hi Team,

We are trying to figure our a solution for old applications and clients that are connecting to our endpoint. Some of these old clients do not set SNI during the initial handshake, due to which a default SSL certificate is being shown back to those old clients.

I am trying to find a solution, where an haproxy sitting between the client and our endpoint can add SNI field in the requests, before it forwards to the backend (SSL passthrough. But add SNI before sending the request to backend. SNI should be equal to HOST header of the request).

something like the below…

backend lb
mode tcp
tcp-request inspect-delay 5s
server alb backend.example.com:443 ssl sni req.hdr(host)
frontend https
bind *:443
mode tcp
tcp-request inspect-delay 5s
use_backend lb

So the flow will be something like the below…

Client’s request without SNI hits haproxy…
Haproxy adds SNI header, which is equal to HOST header in the HTTP, and forwards it to backend.

SSL certificate selection based on SNI will happen on the backend. Haproxy just need to set SNI to host header value and pass it to backend. Kindly let me know.

Many Thanks
Sarath

lukastribus · October 1, 2018, 9:57am

You cannot access the host header when passing through SSL - because it’s encrypted. The only thing you can do is to terminate SSL on haproxy (meaning you need a certificate here, that matches the destination domain), and then set SNI based on the Host header on the outgoing SSL connection.

Topic		Replies	Views
Set SNI based on the Host header on the outgoing TLS connections Help!	6	1785	August 7, 2023
Send-proxy-v2 / send-proxy-v2-ssl with SNI Help!	2	1083	July 4, 2021
Can 1.6 do SNI on backend? Help!	11	13713	June 7, 2016
TLS frontend + backend; host-header proxying? Help!	1	898	December 5, 2019
Haproxy as reverse HTTPS proxy Help!	13	7952	August 20, 2018

Set SNI Haproxy Passthrough

Related Topics