On 11/20/20 1:52 PM, Howard Chu wrote: > Paul B. Henson wrote: >> On 11/19/2020 1:37 PM, Howard Chu wrote: >> >>> This would require that you actually read and process the proxy header >>> immediately after the accept call. It strikes me that this is the wrong >>> thing to do, if you also want to support TLS. >> >> Unless I'm misunderstanding the specification, that is the only way it would >> work. The TLS negotiation, barring TLS interception by the proxy, is between >> the >> client and the backend server, not between the proxy and the backend server. > > Yes, I understand that any TLS session initiated by the client is only > between the > client and the proxy server.
No, this is not necessarily the case. HA proxy can act as application-level proxy for some protocols (IIRC HTTP and SMTP) or as a TCP relay. Paul mentioned the latter case where slapd is the TLS server end-point also from the client's perspective and HA proxy does *not* break up TLS connection. Ciao, Michael.