TLS frontend + backend; host-header proxying?

alexr92 · December 5, 2019, 5:50pm

Ah, of course I figured it out now. Had to add sni req.hdr(host) to each backend server. Config looks like this:

global
…
ca-base /etc/ssl/certs
…

frontend HTTPS-Frontend-DefaultHTTPS
bind x.x.x.x:443 ssl crt /etc/ssl/chained
mode http
use_backend %[req.hdr(host),lower,map_dom(/etc/haprox/domain-backend.map)]

backend MyApp-Servers
mode http
balance roundrobin
option forwardfor
server worker01 worker01.prod.myapp.apps.company.net:443 ssl verify required ca-file ca-certificates.crt sni req.hdr(host)
server worker02 worker02.prod.myapp.apps.company.net:443 ssl verify required ca-file ca-certificates.crt sni req.hdr(host)

Topic		Replies	Views
Set SNI Haproxy Passthrough Help!	1	1142	October 1, 2018
Use mapping for req.ssl_sni instead of req.hdr(host)? Help!	3	9098	December 21, 2023
TSL termination on HAProxy and backend running on a virtual host Help!	1	507	November 28, 2019
Set SNI based on the Host header on the outgoing TLS connections Help!	6	2493	August 7, 2023
Proxy-pass SNI header to backend servers by default Help!	0	258	March 28, 2023

TLS frontend + backend; host-header proxying?

Related topics