SSL termination and SNI

simonuk1 · December 27, 2018, 4:28pm

Is it possible to have SSL termination and also be able to do SNI detection.

I have seen this post that checks for SNI , redirect based on the requested URL and sends anyone that doesnt have SNI enabled brwosers to a default server that says upgrade your browser.

Is there such a config that can be used the SSL termination ?

Thanks

Simon

lukastribus · December 27, 2018, 4:39pm

You can access SNI whether you are terminating SSL (use ssl_fc_sni) or not (use req.ssl_sni).

You can do everything you want with this variable, including content-switch and server specific content.

You only have to understand that you will have to present a default certificate to the browsers, which will probably fail the certificate checks (as there is no way for the server/haproxy to know which host the browser is trying to connect to).

simonuk1 · December 27, 2018, 4:47pm

Thanks,

If we are presenting a wildcard cert then the cert checks would work?

lukastribus · December 27, 2018, 5:06pm

That depends if it covers what the users typed into the browser. If it matches the wildcard, it’s fine. If it doesn’t, he will see the mismatch warning.

simonuk1 · January 1, 2019, 5:50pm

Thanks, so I have the config working with [ssl_fc_sni] which works fine with backend servers that are set to use port 80.

However once I put the backend servers to SSL, Haproxy shows the backend servers are up, but I am getting no data sent in browsers.

Any Ideas ?

simonuk1 · January 1, 2019, 6:18pm

Config is

#SSL Termination Testing

  

frontend  STAR_DOT_HTTP

          bind x.x.x.141:80

          mode http

          redirect scheme https if !{ ssl_fc }

  

frontend STAR_DOT_HTTPS

       bind x.x.x.141:443 ssl crt /etc/haproxy/certs/full.pem

       mode tcp

 

        tcp-request inspect-delay 5s

        tcp-request content accept if { req_ssl_hello_type 1 }

 

        use_backend test1-backend if { ssl_fc_sni -i [test1.test.com](http://test1.test.com) }

        use_backend test2-backend if { ssl_fc_sni -i [test2.test.com](http://test2.test.com) }

        default_backend nomtach-backend

 

#Test1

backend    test1-backend

           mode tcp

           balance roundrobin

           option httpchk GET /Static/Online.html HTTP/1.0

           server SRVWEBFRM1 x.x.x.87:443 check check-ssl verify none

           server SRVWEBFRM2 x.x.x.89:443 check check-ssl verify none

 

#Test2

backend    test2-backend

           mode tcp

           balance roundrobin

           option httpchk GET /Static/Online.html HTTP/1.0

           server SRVWEBFRM3 x.x.x.90:443 check check-ssl verify none

           server SRVWEBFRM4 x.x.x.91:443 check check-ssl verify none

ularnis · January 2, 2019, 1:39pm

regarding certificates: The bind line accepts a directory for ssl crt, haproxy will then pick the certificate that is matching to the SNI the client provided. So you can stuff all certificates you have (e.g. multiple wildcards, even mixed with non wildcard certs) in that directory and haproxy will take care of the rest.
Only in cases where the client does NOT send an SNI extension haproxy will fall back to a default certificate and thus a certificate error can occur.

regarding your issue: your backend server definitions lack ssl, currently haproxy is trying to talk raw http to your backends just on port 443. Check with server SRVWEBFRM3 x.x.x.90:443 ssl check check-ssl verify none

Topic		Replies	Views
REQ_SSL_SNI and SSL termination Help!	2	9259	March 19, 2018
Mixing mode tcp and http - SSL termination and Passthrough Help!	17	33402	December 7, 2023
TCP frontend verify SNI, then redirect HTTP and HTTPS traffic Help!	0	299	December 5, 2023
Identify Request Domain Help!	5	651	March 6, 2018
SNI 503 error when using port 443 on backend Help!	12	7189	December 6, 2017

SSL termination and SNI

Related Topics