Hi,
On Thu, Oct 15, 2015 at 11:14:18AM +0000, ACKERMANN, Thibaut (Thibaut)** CTR **
wrote:
> Hi all,
>
> I have a HAproxy 1.5 setup which offloads SSL in front of multiple webservers.
> My SSL certificate is a wildcard and we are balancing to different backends
> based on the FQDN.
>
> My frontend config look like this :
> ...
> frontend my-frontend
> bind ip:443 ssl crt /var/etc/haproxy/wildcard_domain_org.pem
>
> mode http
> log global
> option httplog
> option forwardfor
>
> use_backend my-backend if { ssl_fc_sni my.domain.org }
> use_backend my-backend2 if { ssl_fc_sni my2.domain.org }
>
> # Fallback for non-SNI clients
> acl is-domain hdr(host) -i my.domain.org
> acl is-domain2 hdr(host) -i my2.domain.org
> use_backend my-backend if is-domain
> use_backend my-backend2 if is-domain2
> ?
>
> I wanted to know if :
> - ssl_fc_sni perform faster than HTTP Header extraction?
Yes but that will be imperceptible. It is important to understand that
the SNI doesn't replace the Host header. If a broken client sends you
an SNI which differs from the Host, the host is still supposed to have
authority there. The SNI is used only to present the correct certificate.
> - HAProxy will check my ACLs sequentially and use the SNI one if it matches
> without evaluating the hdr(host) ones?
Yes absolutely. That said I'd suggest that you only check the Host
header field, that will be much cleaner, safer, and standards-compliant.
Regards,
Willy
