Hi Willy, That worked perfectly. The only changes I had to make were using 'use-server' instead of 'use_server' and I only used the statements with rules, not the 'other' server.
I also found a typo in the documentation here: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-use-server # intercept incoming TLS requests based on the SNI field use-server www if { req_ssl_sni -i www.example.com } server www 192.168.0.1:443 weight 0 use-server mail if { req_ssl_sni -i mail.example.com } server mail 192.168.0.1:587 weight 0 use-server imap if { req_ssl_sni -i imap.example.com } server mail 192.168.0.1:993 weight 0 # all the rest is forwarded to this server server default 192.168.0.2:443 check The second server should probably be named 'imap' not mail again. Regards, Geoff On Fri, Feb 21, 2014 at 8:21 AM, Willy Tarreau <[email protected]> wrote: > Hi Geoff, > > On Thu, Feb 20, 2014 at 03:54:52PM -0800, Geoff Bucar wrote: > > Hi all, > > > > I'm pretty sure this isn't possible, but can HAProxy detect whether the > > communication coming in is SSL or not, and speak the appropriate way? > For > > instance, what I'm trying to accomplish is basically: > > > > listen doublerainbow > > bind 192.168.1.100:80 > > bind 192.168.1.100:80 ssl crt /etc/haproxy/certs/wildcard.pem > > mode http > > option http-server-close > > server system1:80 > > > > The backend system would be unencrypted http. Clients would connect on > > port 80 'possibly' using ssl. Is this possible? > > Not this way, because the SSL API uses its own read() call to retrieve > bytes from the socket (technically it would be possible to use > recv(MSG_PEEK) > to check the contents but we don't do that now). However, it's possible to > divert the stream by chaining two entries : > > > listen front > bind :80 > mode tcp > tcp-request inspect-delay 10s > tcp-request content accept if { req.proto_http } || { req.ssl_ver gt > 0 } > use_server clear if { req.proto_http } > use_server ssl if { req.ssl_ver gt 0 } > use_server other > server clear 127.0.0.1:8080 > server ssl 127.0.0.1:8443 > server other 127.0.0.1:8888 > > listen clear > bind 127.0.0.1:8080 > mode http > ... > > listen ssl > bind 127.0.0.1:8443 ssl > ... > > etc... > > Last point is that you may pass the client's IP address along this chain > by using "send-proxy" on the servers lines of the first stage, and > "accept-proxy" on the "bind" lines in the second stage. > > Hoping this helps, > Willy > >
