Hi Jarno,
On 2019-06-04 12:44, Jarno Huuskonen wrote:
Hi Christian,
On Thu, Apr 25, Christian Ruppert wrote:
listen genlisten_10320-cust1.tls-tcp
acl REQ_TLS_HAS_ECC req.ssl_ec_ext eq 1
tcp-request content accept if { req_ssl_hello_type 1 } # Match
Client SSL Hello
use-server socket-10320-rsa if !REQ_TLS_HAS_ECC
server socket-10320-rsa unix@/run/haproxy-10320-rsa.sock
send-proxy-v2
use-server socket-10320-ecc if REQ_TLS_HAS_ECC
server socket-10320-ecc unix@/run/haproxy-10320-ecc.sock
send-proxy-v2
Do you need this tcp frontend for just serving both rsa/ecc
certificates ?
If so I think haproxy can do this(with openssl >= 1.0.2) with crt
keyword:
https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-crt
-Jarno
listen genlisten_10320-cust1.tls
bind unix@/run/haproxy-10320-rsa.sock accept-proxy user haproxy
group root mode 600 ssl crt /etc/haproxy/test-rsa.pem alpn
h2,http/1.1 process 3
bind unix@/run/haproxy-10320-ecc.sock accept-proxy user haproxy
group root mode 600 ssl crt /etc/haproxy/test-ecc.pem alpn
h2,http/1.1 process 4-8
Yeah, I think we'll still need that construct. What we want to achieve
with this kind of setup is:
One process/core for pure connections (that TCP stuff), one for HTTP,
*one* for RSA and all the rest for ECC. RSA costs so much that it's
really easy to (D)DoS that process which would otherwise affect all
other processes as well. So we just want to have all that separated,
http from https and RSA from ECC.
--
Regards,
Christian Ruppert
