On Fri, Apr 12, 2024, at 4:01 PM, Amaury Denoyelle wrote:
> I have a doubt though, will this kind of configuration really works ? I
> though that for the moment if name parameter is specified, it is
> mandatory to use a server with SSL+SNI.
It may be mandatory according to the RFC, but I'm not using it that way.
Usually it's RHTTP over SSL, and the incoming connection identifies itself
securely using the SSL DN.
The way I'm using it is RHTTP over HTTP CONNECT - and I'm validating the
connection using the headers that came with the HTTP CONNECT. I have tcp
server block that strips the HTTP CONNECT header and adds PROXY header instead
with the connection pool name sent through using unique-id:
listen connect_terminate
mode tcp
bind ...
tcp-request inspect-delay 5s
tcp-request content lua.terminate_http_connect
# This allows us to send the hostname over the PROXY protocol:
unique-id-format "%[var(txn.req_header.x_hostname)]"
server srv 127.0.0.1:8001 send-proxy-v2 proxy-v2-options unique-id
Then I use that unique id when adding the connection to the connection pool:
frontend add_to_http_pool
mode http
bind 127.0.0.1:8001 proto h2 accept-proxy
tcp-request session attach-srv rhttp_frontend/srv name
fc_pp_unique_id
It's a little roundabout (and this is the simplified version) but quite
capable. I plan to use a similar technique to route multiple requests to
different hostnames down the same RHTTP connection too. In that case I'll not
be using sni req.hdr(host) either - but I haven't got that far yet.
Thanks
Will
---
William Manley
Stb-tester.com
Stb-tester.com Ltd is a company registered in England and Wales.
Registered number: 08800454. Registered office: 13B The Vale,
London, W3 7SH, United Kingdom (This is not a remittance address.)
