Using SSL Termination AND Passthrough AND Bridging based on URL


#1

Hello All. I am quite new to using HAProxy, and have been directed to do something that I can’t find any examples of in my google searches.

We will be hosting many different sites, and would like to be able to provide SSL termination, Passthrough, and Bridging/Re-encryption based on the URL.

I have a working config that is performing SSL Termination, and I believe it is also doing Bridging/Re-encryption. Is it possible to also add Passthrough? I found a sample using a domain mapping file that is referred to for checking the request and mapping it to a backend, and this works quite well.

I guess I just need to know if it is possible to support all 3 modes on one haproxy server.

Here is my haproxy.cfg if it may be helpful. (We are in a testing mode right now - so I can make any changes needed.)
http://pastebin.com/kfUf32b4


#2

TLS termination and passthrough are mutually exclusive, once you have terminated TLS you can turn back in time and pass the TLS session through instead.

If you want to take any decisions based on the URL, you have to terminate TLS first, because otherwise you cannot see the URL. This excludes any TLS passthrough.

I suggest you elaborate your use-case, maybe I just misunderstood your requirement?


#3

I figured it out. You first have to try checking for passthrough, using SNI. If nothing matches with the SNI info, it goes to a backend that redirects to an alternate frontend bound to a different port with certs, and will then perform SSL termination.
I also have 2 files for mapping domains, to make it easier to add new servers without messing with the config file too much, based on this link: http://blog.haproxy.com/2015/01/26/web-application-name-to-backend-mapping-in-haproxy/

Anyway - here is my config that seems to work right now:
http://pastebin.com/pkRsp9cc


#4

sorry for the late reply would you mind sharing your maps as well
domain2backend.map
sni2backend.map