Set SNI Haproxy Passthrough


#1

Hi Team,

We are trying to figure our a solution for old applications and clients that are connecting to our endpoint. Some of these old clients do not set SNI during the initial handshake, due to which a default SSL certificate is being shown back to those old clients.

I am trying to find a solution, where an haproxy sitting between the client and our endpoint can add SNI field in the requests, before it forwards to the backend (SSL passthrough. But add SNI before sending the request to backend. SNI should be equal to HOST header of the request).

something like the below…

backend lb
mode tcp
tcp-request inspect-delay 5s
server alb backend.example.com:443 ssl sni req.hdr(host)
frontend https
bind *:443
mode tcp
tcp-request inspect-delay 5s
use_backend lb

So the flow will be something like the below…

  1. Client’s request without SNI hits haproxy…
  2. Haproxy adds SNI header, which is equal to HOST header in the HTTP, and forwards it to backend.

SSL certificate selection based on SNI will happen on the backend. Haproxy just need to set SNI to host header value and pass it to backend. Kindly let me know.

Many Thanks
Sarath


#2

You cannot access the host header when passing through SSL - because it’s encrypted. The only thing you can do is to terminate SSL on haproxy (meaning you need a certificate here, that matches the destination domain), and then set SNI based on the Host header on the outgoing SSL connection.