Re: Decipher SSL on certain conditions only.

Mon, 29 Oct 2012 06:36:08 -0700 

Hello,

Thank you very much for help.

I can't make req_ssl_sni work and don't know how to troubleshoot it without 
digging into source code.

Here is my config: 

...
listen https
    mode tcp
    bind     :443
    tcp-request inspect-delay 5s
    use-server decipher if { req_ssl_sni example.com }
    server decipher 127.0.0.1:4443 weight 0
    server forward 127.0.0.1:5443

frontend decipher
    mode http
    bind     :4443 ssl crt cert.pem
...

I say
openssl s_client -connect 127.0.0.1:443 -servername example.com -debug
And nc -l :5443 shows that connection is forwarded, not deciphered.

 Is there anything I missed?

On Oct 29, 2012, at 12:42 , Willy Tarreau <[email protected]> wrote:

> Hello,
> 
> On Mon, Oct 29, 2012 at 11:48:50AM +0400, Samat Galimov wrote:
>> Hello!
>> I want to decipher SSL traffic for some of the apps and do not for the 
>> others (apps are distinguished by hostname but they all have same IP and 
>> port).
>> Is there any way achieve this?
>> I can use req_ssl_sni to distinguish apps which need to be blindly forwarded 
>> and send them to specific backends, but i can't figure out how to decipher 
>> remainder.
>> Maybe some trick to passthrough connections between frontends?
> 
> That's interesting that you ask for this because during the SSL
> development I wondered if we would need to make it optional, for
> example being able to accept non-SSL traffic then finally decide
> to switch to SSL. The main issue is that it's not really possible
> to reinject the consumed data into the SSL stack so we'd have to
> switch to MSG_PEEK which in practice is not doable.
> 
> However using two layers of frontend/backend, you can do this. It
> could look like approximately this :
> 
>       listen front
>               mode tcp
>               bind :443
>               tcp-request inspect-delay 5s
>               tcp-request content-accept if req_ssl_ver ge 3.1
>               use-server decipher if { req_ssl_sni www.example.com }
> 
>               server forward 1.1.1.1:443
>               server decipher 127.0.0.1:43 weight 0 send-proxy
> 
>       frontend decipher
>               mode http
>               bind 127.0.0.1:43 accept-proxy ssl crt foo.pem
>               ...
> 
> BTW, it's approximately the same principle as is used for mixing HTTPS
> and another protocol on the same port (eg: SPDY, SSH).
> 
> Hoping this helps,
> Willy
>

Reply via email to