HAProxy community

TSL termination on HAProxy and backend running on a virtual host

I have HA-Proxy version 1.5.18 2016/05/10
which does TSL termination and then proxies uncrypted configuration to a backend which is an Apache web server.

Everything worked fine unless I tried to use virtual host on Apache side. In setting of virtual host I have set different DocumentRoot than is default, it is /var/www/html/subdirectory.

When I try to ask my browser for url backendserver.com (it is just example of course), I am always proxied to the right backend server, but Apache provides me content of default DocumentRoot /var/www/html.

I would say that the problem is somewhere related to SNI. Apache don’t get the SNI and due to that uses default configuration instead configuration of virtual host. But I am not sure why.

I know that I do TSL termination on HAProxy side. And SNI is an part of SSL handshake, Does it mean that I have to add some header contains SNI into my request?

My backend configuration:

backend backend_server
  mode http
  balance roundrobin
  option httpchk HEAD /subdirectory/
  http-request add-header X-Forwarded-For %[src]
  server backendserver backendserver.com:443 check rise 60s inter 1000 ssl verify none 

Thanks a lot for any advice in advance.

Configure Apache to use the Host header, not SNI. SNI is per connection, Host is per transaction and only the latter will guarantee that you hit the correct virtual host in all situations.

That said, you can configure SNI at haproxy however you want. It will change the problems you are seeing, but wont solve them.

Use the host header.