SNI works somtimes, sometimes is broken


#1

We have the following setup:

Client -> haproxy -> multiple servers running nginx (different certs)

Which in some cases works and in some it does not. I was tracing via tcpdump and sometimes the client doesn´t send the server name in the hello packet. Testing with Chrome and Firefox.

The config is derived from this example:
(http://blog.haproxy.com/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/)

Adjust the timeout to your needs

defaults
timeout client 30s
timeout server 30s
timeout connect 5s

Single VIP

frontend ft_ssl_vip
bind 10.0.0.10:443
mode tcp

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

default_backend bk_ssl_default

Using SNI to take routing decision

backend bk_ssl_default
mode tcp

acl application_1 req_ssl_sni -i application1.domain.com
acl application_2 req_ssl_sni -i application2.domain.com

use-server server1 if application_1
use-server server2 if application_2
use-server server3 if !application_1 !application_2

option ssl-hello-chk
server server1 10.0.0.11:443 check
server server2 10.0.0.12:443 check
server server3 10.0.0.13:443 check

Maybe the example is outdated?

haproxy -v
HA-Proxy version 1.6.6 2016/06/26
Copyright 2000-2016 Willy Tarreau willy@haproxy.org


#2

I’m not sure what you are saying. You concluded that the browsers sometimes don’t send SNI, so the configuration doesn’t work.

What exactly is your question?