Hi, I am trying to deploy HAProxy in HTTP mode in front of a Windows Server
2012 R2 ADFS 3.0 farm. In ADFS 3.0 backend servers require that clients
support SNI.
In my testing it does not appear that HAProxy is sending the ServerName
extension in the TLS handshake and as a result I am receiving a "Bad
Gateway" error. The HAProxy logs just say "Connection error during SSL
handshake". I captured the traffic with wireshark and the ServerName TLS
extension is indeed missing and the ADFS server is sending a RESET packet
right after the SSL HELLO packet.
In tcp mode it works fine. However in http mode it errors. I want to deploy
this as a proxy in order to remove the need to have to deploy Microsoft Web
Application Proxies (replacement for ADFS proxies in 2012 R2) in the DMZ.
This is the architecture I am trying to achieve:
|----> ADFS 3.0 (443)
Client ---> HAProxy (443) --|
|----> ADFS 3.0 (443)
Thanks!
Brandon
