HAProxy community

SNI and SSL offloading/termination with multiple domains


I fail in setting up haproxy for SNI and SSL offloading/termination with multiple domains. I tried this:

frontend Frontend
    mode    http
    option  httplog
    option  dontlognull
    option  http-keep-alive
    option  forwardfor

	bind ssl alpn h2,http/1.1 crt-list /etc/haproxy/cert.list

	use_backend BE1 if { ssl_fc_sni domain1.com }
	use_backend BE2 if { ssl_fc_sni domain2.com }

backend BE1
	balance source
	stick-table type ip size 50k expire 30m  
	stick on src
	http-reuse safe
	server SERVER1 ssl verify none alpn h2,http/1.1

backend BE2
	balance source
	stick-table type ip size 50k expire 30m  
	stick on src
	http-reuse safe
	server SERVER2 ssl verify none alpn h2,http/1.1

This fails with “SSL handshake failure”. When I only use one domain and only one certificate with “ctr” instead of “crt-list” and one backend, it works.

How to get this working?


HA-Proxy version 2.0.14-1~bpo10+1 2020/04/16 - https://haproxy.org/
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-kKmitW/haproxy-2.0.14=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference


Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 1.1.1d  10 Sep 2019
Running on OpenSSL version : OpenSSL 1.1.1g  21 Apr 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), 
Built with PCRE2 version : 10.32 2018-09-10
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with the Prometheus exporter as a service

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTX        side=FE|BE     mux=H2
              h2 : mode=HTTP       side=FE        mux=H2
       <default> : mode=HTX        side=FE|BE     mux=H1
       <default> : mode=TCP|HTTP   side=FE|BE     mux=PASS

Available services :

Available filters :
	[SPOE] spoe
	[COMP] compression
	[CACHE] cache
	[TRACE] trace

Found out a bit more. I’ve set

ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

But when I connect and watch the traffic I get:

TLSv1 is used. When I use Apache as reverse proxy I get:

and a TLS1.3 session gets established.

How to configure haproxy to make this work?

Solution: On Debian haproxy is restricted to 16 MB RAM with -m 16 option. Removing this solved the problem.