Hi there, I currently explore the possibilities of HAProxy. This thing can do a lot :)
Now I’ve reached a point where I do not know what to do next. I’ve compiled HAProxy from sources with version 1.7-dev6 (See -vv below). The goal is to accomplish SSL/TLS bridging with some extensions as described here https://www.haproxy.com/doc/aloha/7.0/deployment_guides/tls_layouts.html#ssl-tls-bridging-or-re-encryption The traffic between Client and HAProxy should be H2 or HTTPS/1.1, the traffic between HAProxy and Server can only be HTTPS/1.1 (thank you, legacy application!), and I need to use SNI. My configuration so far: frontend frontend_https-sni bind *:443 ssl crt /etc/haproxy/ssl/ mode http use_backend %[ssl_fc_sni,lower,map_dom(/etc/haproxy/switch_ssl.map)] backend backend_ssl_1 mode http server web0 127.0.0.1:443 ssl verify none check backend backend_ssl_2 mode http server web0 127.0.0.2:443 ssl verify none check This works fine. But as soon as I try to add „alpn h2,http1.1“ to the bind param the configuration does not work anymore. I have reached a bunch of different configurations, but none of them did work.. My questions are: 1) Is it even possible to accomplish what I am trying to do? I haven’t found anyone doing it already. I would be really happy if I do not have to deploy nginx.. 2) If yes, can you give me some direction where I need to go, please? Thank you very much! Kind regards, Max root@proxy sbin]# ./haproxy -vv HA-Proxy version 1.7-dev6-d5d890b 2016/11/09 Copyright 2000-2016 Willy Tarreau <wi...@haproxy.org> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18 OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 USE_PCRE_JIT=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Running on zlib version : 1.2.7 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with OpenSSL version : OpenSSL 1.0.2j 26 Sep 2016 Running on OpenSSL version : OpenSSL 1.0.2j 26 Sep 2016 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.32 2012-11-30 Running on PCRE version : 8.32 2012-11-30 PCRE library supports JIT : yes Built without Lua support Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available filters : [COMP] compression [TRACE] trace [SPOE] spoe
