0

HAProxy v.1.5.18, 1.7.11, listening on a single IP address with a wildcard SSL certificate, I need to specify several backends with SNI lookup. There's a ton of config-files that all say req_ssl_sni -i hostname.example.com as ACL to use when redirecting to a certain backend. My best attempt was querying req_ssl_sni -m found and finding out SNI is inaccessible in the frontend. How to make SNI lookup work with a single HTTPS certificate?

haproxy.cfg required is following:

frontend https
    bind *:443 ssl interface eth1 crt /etc/haproxy/allstar.company.com.pem
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }
    acl to_webcam req.ssl_sni -i webcam.company.com
    acl to_jira req.ssl_sni -i jira.company.com
    use_backend webcam if to_webcam
    use_backend jira if to_jira
    default_backend no_sni

backend webcam
    acl webcam_auth (hidden)
    http-request auth realm webcam if !webcam_auth
    server ws01 10.x.x.x:8080

backend no_sni
    acl webcam_auth2 (hidden)
    http-request auth realm webcam-no-sni if !webcam_auth2
    server ws01 10.x.x.x:8080

backend drop403
    http-request deny

backend jira
    server jira-test 10.x.x.y:8080

Global and defaults are unaltered. With this config the only backend I'm hitting is no-sni that asks for HTTP auth. WTF?!

Vesper
  • 794
  • 1
  • 9
  • 32

1 Answers1

0

Just in case someone would stumble. This site said literally: "All you need to do to enable SNI is to be give HAProxy multiple SSL certificates". Thus, in order to have SNI headers enabled in the frontend one needs to have several PEM files with different certificates. We here have a single PEM file with a wildcard certificate, so SNI ends up disabled in haproxy. Therefore, the filtering and ACL redirection should be done via hdr(host) ACLs, as if your backend is plain HTTP.

acl to_webcam hdr(host) -i webcam.company.com
acl to_jira hdr(host) -i jira.company.com
use_backend webcam if to_webcam
use_backend jira if to_jira
Vesper
  • 794
  • 1
  • 9
  • 32