HAProxy community

SSL termination and SNI


#1

Is it possible to have SSL termination and also be able to do SNI detection.

I have seen this post that checks for SNI , redirect based on the requested URL and sends anyone that doesnt have SNI enabled brwosers to a default server that says upgrade your browser.

Is there such a config that can be used the SSL termination ?

Thanks

Simon


#2

You can access SNI whether you are terminating SSL (use ssl_fc_sni) or not (use req.ssl_sni).

You can do everything you want with this variable, including content-switch and server specific content.

You only have to understand that you will have to present a default certificate to the browsers, which will probably fail the certificate checks (as there is no way for the server/haproxy to know which host the browser is trying to connect to).


#3

Thanks,

If we are presenting a wildcard cert then the cert checks would work?


#4

That depends if it covers what the users typed into the browser. If it matches the wildcard, it’s fine. If it doesn’t, he will see the mismatch warning.


#5

Thanks, so I have the config working with [ssl_fc_sni] which works fine with backend servers that are set to use port 80.

However once I put the backend servers to SSL, Haproxy shows the backend servers are up, but I am getting no data sent in browsers.

Any Ideas ?


#6

Config is

#SSL Termination Testing

  

frontend  STAR_DOT_HTTP

          bind x.x.x.141:80

          mode http

          redirect scheme https if !{ ssl_fc }

  

frontend STAR_DOT_HTTPS

       bind x.x.x.141:443 ssl crt /etc/haproxy/certs/full.pem

       mode tcp

 

        tcp-request inspect-delay 5s

        tcp-request content accept if { req_ssl_hello_type 1 }

 

        use_backend test1-backend if { ssl_fc_sni -i [test1.test.com](http://test1.test.com) }

        use_backend test2-backend if { ssl_fc_sni -i [test2.test.com](http://test2.test.com) }

        default_backend nomtach-backend

 

#Test1

backend    test1-backend

           mode tcp

           balance roundrobin

           option httpchk GET /Static/Online.html HTTP/1.0

           server SRVWEBFRM1 x.x.x.87:443 check check-ssl verify none

           server SRVWEBFRM2 x.x.x.89:443 check check-ssl verify none

 

#Test2

backend    test2-backend

           mode tcp

           balance roundrobin

           option httpchk GET /Static/Online.html HTTP/1.0

           server SRVWEBFRM3 x.x.x.90:443 check check-ssl verify none

           server SRVWEBFRM4 x.x.x.91:443 check check-ssl verify none

#7

regarding certificates: The bind line accepts a directory for ssl crt, haproxy will then pick the certificate that is matching to the SNI the client provided. So you can stuff all certificates you have (e.g. multiple wildcards, even mixed with non wildcard certs) in that directory and haproxy will take care of the rest.
Only in cases where the client does NOT send an SNI extension haproxy will fall back to a default certificate and thus a certificate error can occur.

regarding your issue: your backend server definitions lack ssl, currently haproxy is trying to talk raw http to your backends just on port 443. Check with server SRVWEBFRM3 x.x.x.90:443 ssl check check-ssl verify none