On Thu, Jan 27, 2011 at 03:58:37PM -0800, Anthony Saenz wrote: > On 1/27/11 3:30 PM, Willy Tarreau wrote: > >On Thu, Jan 27, 2011 at 03:13:04PM -0800, Anthony Saenz wrote: > >>Well, my configuration has changed a bit but here's what I'm trying to > >>accomplish... I want to dynamically look up the host or IP that's being > >>requested. Right now I have our internal DNS pointing our domains to an > >>internal IP (for development purposes) but don't want SSL requests to > >>hit our internal servers. So, if a 443 request is made - simply push to > >>production. > >> > >>Is there a way to dynamically set the host/IP in the server so it > >>perform a DNS lookup for the real IP and just simply passes through TCP? > >>Kind of like... > >> > >>backend production_ssl > >> mode tcp > >> balance source > >> server web $REQUESTED_HOST:443 > >No you can't do that, that's more a job for a forward proxy such as Squid. > >Also, you wouldn't even have the Host header here since you're in TCP mode, > >and the request will be ciphered in SSL anyway. > > > >>I'm banging my head against the wall on how to get SSL to work without > >>hard-coding every single domain because we have over 1000 of them! > >But do you have 1000 IP addresses for your servers ? > > > >Willy > > > No, not all domains are on unique IPs because not all of them have SSL > but let's say 20 of them are. How can I have HAProxy differentiate those > 20 different hosts/IPs and go to the correct one?
Then in theory what you're looking for is called "content switching" : use whatever information you can find in a request to decide where to forward it. The principle will be to have as many backends as possible destinations (20 in your case) and to use ACLs + "use_backend" rules to direct them. The issue I see in your case is that you can't know what domain is being requested when looking at SSL. In fact, there is the SNI (server name indication) extension which some browsers do use but not all to the best of my knowledge. If we see enough adoption of this, I would have no problem implementing a decoder for it, as it would help ! In the mean time,I think that what you need to do is either to use different public IP addresses as almost all SSL sites do, or to have a multi-domain certificate, and decode SSL at the entry point before haproxy. Regards, Willy
