HAPROXY SNI SSL pass through or termination

Question

I would like to set up HAProxy to terminate SSL or pass through connection depends from hostname, exposing only one public IP address. For example

Internet -> domain web1.example.com (10.10.10.1) HAproxy SSL termination -> Backend (10.10.10.10)

Internet -> domain web2.example.com (10.10.10.1) HAproxy Pass through -> Backend (10.10.10.20)

I would like to have like that to allow possibility mTLS for web2.example.com

Is it possible using only one public IP?

Thanks.

score 0 · Answer 1 · answered Feb 14 '22 at 13:59

Try something like this. Be careful, I did not check it =)

frontend front_tcp
    bind *:443
    mode tcp

    acl host_web2 req_ssl_sni -i web2.example.com
    use_backend back_web2 if host_web2

    default_backend back_tcp_to_http

    backend back_tcp_to_http
        server haproxy-http 127.0.0.1:8443

frontend front_http
    mode http
    bind 127.0.0.1:8443 ssl crt /etc/ssl/mycert.pem

    acl host_web1 hdr(host) -i web1.example.com
    use_backend back_web1 if host_web1

backend back_web1
    mode http
    server web1 10.10.10.10:80

backend back_web2
    mode tcp
    server web2 10.10.10.20:443

HAPROXY SNI SSL pass through or termination

1 Answers1