Setting up HAproxy 2.4 with SNI and backend servers using wildcard certificates

Hey all,

I’m struggling with a scenario where i have to setup haproxy 2.4 with sni where our backend IIS servers with wildcard certificates.

For now, I’m able to achieve the desired result by using tcp mode on both frontend and backend configs:

apiVersion: v1
kind: ConfigMap
metadata:
  namespace: proxy
  name: haproxy
data:
  frontend.cfg: |
    global
      log stdout    local0 info
      stats socket /run/haproxy/admin.sock mode 660 level admin
      stats timeout 2m
    defaults
      log     global
      timeout connect 86400000
      timeout client  86400000
      timeout server  86400000

    frontend https
      bind *:4443
      mode tcp
      option tcplog
      tcp-request inspect-delay 5s
      tcp-request content accept if { req_ssl_hello_type 1 }
      acl eg req.ssl_sni -m end .domain.com
      use_backend eg if eg


  eg.cfg: |
    defaults 
      timeout connect 86400000
      timeout client  86400000
      timeout server  86400000   
    backend eg
      mode tcp
      option tcp-check
      balance roundrobin
      
      stick-table type ip size 50k expire 10m
      stick on src
      
      server eg_0 192.168.1.1:443 weight 1 maxconn 100 check verify none 
      server eg_1 192.168.1.2:443 weight 1 maxconn 100 check verify none

But the main issue is that our backend web servers require cookies, which is something that we can’t have by using tcp mode.

By any chance, someone was able to configure a similar setup?

Thanks in advance.

Hi,
Since you won’t be able to work on the http request in your setup, you will have to move to mode http, offloading ssl with the ssl certificate on the frontend.