SSL Offloading & SSL Passthrough on same port with SNI

Hi everyone,

I’m desperately looking to solve the following problem, but was not able to find the solution on the internet. I was told by someone it should be possible to resolve, but no further hints have been given. That’s where you HAProxy Pros (hopefully) come into play :wink:

In case you can help me or point me to the right direction, please also let me know which HAProxy version I need to have in place to make it work.

CURRENT SITUATION

  • I only have one public IP address
  • Got multiple backend servers
  • All backend services shall be made publicly available on Port 443
  • Based on the backend’s capabilities, I’m forced to SSL offload or passthrough

DESIRED OUTCOME

  • With the help of SNI, I want to define when an incoming traffic/request is SSL offloaded or SSL passthrough.

EXAMPLE

  • A.website.com Port 443 --> SSL offloading / termination to backend Server A on Port 80
  • B.website.com Port 443 --> SSL offloading / termination to backend Server B on Port 80
  • C.website.com Port 443 --> SSL passthrough to backend Server C on Port 443
  • D.website.com Port 443 --> SSL passthrough to backend Server D on Port 443

If you could provide me a simple HAProxy config with some details, which is able to achieve the outlined desired scenario, I would be greatly thankful.

Thanks in advance for your support,

Sascha

Hi Sascha,
This is exactly what I do. Here is a guide I wrote a while back.


The haproxy.cfg should help you out.

A note that if any of the backend servers are using TLS you will need to change the config for the final backend config.
server server01 10.0.0.10:80 check
would become
server server01 10.0.0.10:443 check ssl verify none

The link is not working