TLDR; is it tcp or http?
…or read more.
I have an HAProxy config more or less like this:
# fe / bind TLS - fe type/mode/use [default] be / server
port25 / [::]:25 v4v6 ✕ - tcp/listen mx / {smtp-gateway}:25
port80 / [::]:80 v4v6 ✕ - http redir443 / {http-request redirect scheme https code 302}
port443 / [::]:443 v4v6 ✕ - tcp/SNI off-ramp mainfelooparound / {server main /socket send-proxy-v2-ssl-cn}
main / /socket accept-proxy ✓ - https redir303 / {http-request redirect location … code 303}
I have two frontend for TLS connections because some are SNIed, some offloaded and I don’t remember the reason but I couldn’t make it work. Well, I did but there was something I couldn’t do, I don’t remember what was it. I believe it was related to SNI connections.
Anyway, I made peace with that but now I’d like to try again but this time where it’s safer; I have a remote gateway where I’d like to set a store-and-forward SMTP server, and then have it delivered over port 80, so I can close down port 25.
I’m think it’s doable with switch-mode http. I revisited my HAProxy config archive (that’s pretentious-speak for config dump–they’re not even named consistently), but on those where I tried merging SNI and HTTPS the frontend is http not tcp. I do remember something about it but um, let’s just say I have “conflicting recollection of ish”, if that makes sense.
What’s a frontend supposed to be when +switch-mode http` is in it? Another thing I remember is that I had to edit quite a bit my defaults sections because they couldn’t be used in one mode and it was really confusing to know which even when it tells you which line is it.
If you have any advice on this, I’d really appreciate it so I can avoid the stress of last time. Though it was kind of worth it when the proxy started, or it was until I discovered that thing that I can’t remember. Maybe you can remember for me, in a manner of speaking (what are the caveats?)
A million…
Thanks ! 