TLS frontend + backend; host-header proxying?

I’m doing TLS termination on a frontend, and using the host-header with a domain map to forward to a backend pool of servers. The servers on the backend have names like worker1.myapp.company.net, but the host header is something like www.myapp.com.

I’ve verified that it is using the correct backend when requests go to www.myapp.com, and TLS serves correctly.

The issue is that requests to the backend worker servers are using the SNI and/or host header for worker1.myapp.company.net, instead of www.myapp.com, which is what the worker servers expect. I ran wireshark on the backend server and was able to see this SNI value, too.

Is there a way to change both requests and health checks on the backend so that they use the SNI and Host Header values that came to the frontend in the first place? There will be dozens of domains going through this front-end and back-end, so I can’t hardcode domain values either.

Ah, of course I figured it out now. Had to add sni req.hdr(host) to each backend server. Config looks like this:

global

ca-base /etc/ssl/certs

frontend HTTPS-Frontend-DefaultHTTPS
bind x.x.x.x:443 ssl crt /etc/ssl/chained
mode http
use_backend %[req.hdr(host),lower,map_dom(/etc/haprox/domain-backend.map)]

backend MyApp-Servers
mode http
balance roundrobin
option forwardfor
server worker01 worker01.prod.myapp.apps.company.net:443 ssl verify required ca-file ca-certificates.crt sni req.hdr(host)
server worker02 worker02.prod.myapp.apps.company.net:443 ssl verify required ca-file ca-certificates.crt sni req.hdr(host)

1 Like