Is it possible to have SSL termination and also be able to do SNI detection.
I have seen this post that checks for SNI , redirect based on the requested URL and sends anyone that doesnt have SNI enabled brwosers to a default server that says upgrade your browser.
Is there such a config that can be used the SSL termination ?
Thanks
Simon
You can access SNI whether you are terminating SSL (use ssl_fc_sni) or not (use req.ssl_sni).
You can do everything you want with this variable, including content-switch and server specific content.
You only have to understand that you will have to present a default certificate to the browsers, which will probably fail the certificate checks (as there is no way for the server/haproxy to know which host the browser is trying to connect to).
Thanks,
If we are presenting a wildcard cert then the cert checks would work?
That depends if it covers what the users typed into the browser. If it matches the wildcard, it’s fine. If it doesn’t, he will see the mismatch warning.
Thanks, so I have the config working with [ssl_fc_sni] which works fine with backend servers that are set to use port 80.
However once I put the backend servers to SSL, Haproxy shows the backend servers are up, but I am getting no data sent in browsers.
Any Ideas ?
Config is
#SSL Termination Testing
frontend STAR_DOT_HTTP
bind x.x.x.141:80
mode http
redirect scheme https if !{ ssl_fc }
frontend STAR_DOT_HTTPS
bind x.x.x.141:443 ssl crt /etc/haproxy/certs/full.pem
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend test1-backend if { ssl_fc_sni -i [test1.test.com](http://test1.test.com) }
use_backend test2-backend if { ssl_fc_sni -i [test2.test.com](http://test2.test.com) }
default_backend nomtach-backend
#Test1
backend test1-backend
mode tcp
balance roundrobin
option httpchk GET /Static/Online.html HTTP/1.0
server SRVWEBFRM1 x.x.x.87:443 check check-ssl verify none
server SRVWEBFRM2 x.x.x.89:443 check check-ssl verify none
#Test2
backend test2-backend
mode tcp
balance roundrobin
option httpchk GET /Static/Online.html HTTP/1.0
server SRVWEBFRM3 x.x.x.90:443 check check-ssl verify none
server SRVWEBFRM4 x.x.x.91:443 check check-ssl verify none
regarding certificates: The bind line accepts a directory for ssl crt
, haproxy will then pick the certificate that is matching to the SNI the client provided. So you can stuff all certificates you have (e.g. multiple wildcards, even mixed with non wildcard certs) in that directory and haproxy will take care of the rest.
Only in cases where the client does NOT send an SNI extension haproxy will fall back to a default certificate and thus a certificate error can occur.
regarding your issue: your backend server definitions lack ssl
, currently haproxy is trying to talk raw http to your backends just on port 443. Check with server SRVWEBFRM3 x.x.x.90:443 ssl check check-ssl verify none
1 Like