Hello,
On Mon, Oct 29, 2012 at 11:48:50AM +0400, Samat Galimov wrote:
> Hello!
> I want to decipher SSL traffic for some of the apps and do not for the
> others (apps are distinguished by hostname but they all have same IP and
> port).
> Is there any way achieve this?
> I can use req_ssl_sni to distinguish apps which need to be blindly forwarded
> and send them to specific backends, but i can't figure out how to decipher
> remainder.
> Maybe some trick to passthrough connections between frontends?
That's interesting that you ask for this because during the SSL
development I wondered if we would need to make it optional, for
example being able to accept non-SSL traffic then finally decide
to switch to SSL. The main issue is that it's not really possible
to reinject the consumed data into the SSL stack so we'd have to
switch to MSG_PEEK which in practice is not doable.
However using two layers of frontend/backend, you can do this. It
could look like approximately this :
listen front
mode tcp
bind :443
tcp-request inspect-delay 5s
tcp-request content-accept if req_ssl_ver ge 3.1
use-server decipher if { req_ssl_sni www.example.com }
server forward 1.1.1.1:443
server decipher 127.0.0.1:43 weight 0 send-proxy
frontend decipher
mode http
bind 127.0.0.1:43 accept-proxy ssl crt foo.pem
...
BTW, it's approximately the same principle as is used for mixing HTTPS
and another protocol on the same port (eg: SPDY, SSH).
Hoping this helps,
Willy
