This passes config check for me using 1.6 HEAD
btalbot-lt:haproxy-1.6$ cat haproxy.cfg
global
defaults
timeout client 5s
timeout server 5s
timeout connect 5s
mode http
listen https
bind :443
server dev05 192.168.1.10:443 check ssl sni str(prontotest.orthobanc.com)
verify none
btalbot-lt:haproxy-1.6$ ./haproxy -f ./haproxy.cfg -c
Configuration file is valid
btalbot-lt:haproxy-1.6$ ./haproxy -vv
HA-Proxy version 1.6.3-079e34-67 2016/03/10
Copyright 2000-2015 Willy Tarreau <[email protected]>
Build options :
TARGET = generic
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): no
Built with zlib version : 1.2.5
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built without PCRE support (using libc's regex instead)
Built without Lua support
Available polling systems :
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 2 (2 usable), will use poll.
On Fri, Mar 11, 2016 at 5:23 PM, William D. Roush <
[email protected]> wrote:
> Using: "server dev05 192.168.1.10:443 check ssl sni str(www.mysite.com)
> verify none"
>
>
>
> Proxy 'www.mysite.com', server 'dev05' [/etc/haproxy/haproxy.cfg:62]
> verify is enabled by default but no CA file specified. If you're running on
> a LAN where you're certain to trust the server's certificate, please set an
> explicit 'verify none' statement on the 'server' line, or use
> 'ssl-server-verify none' in the global section to disable server-side
> verifications by default.
>
>
>
>
>
> Using: "server dev05 192.168.1.10:443 check sni str(
> prontotest.orthobanc.com) ssl verify none "
>
>
>
> parsing [/etc/haproxy/haproxy.cfg:62] : 'server dev-web-06' unknown
> keyword 'none'.
>
>
>
>
>
> William Roush | www.roushtech.net
>
>
>
> *From:* Bryan Talbot [mailto:[email protected]]
> *Sent:* Friday, March 11, 2016 5:32 PM
> *To:* William D. Roush <[email protected]>
> *Cc:* [email protected]
> *Subject:* Re: SNI Support for Health Check on Backend Server
>
>
>
> There is a recently reported but for this. Try putting "verify none" AFTER
> the "sni" keyword in your server line.
>
>
>
> -Bryan
>
>
>
>
>
> On Fri, Mar 11, 2016 at 2:08 PM, William D. Roush <
> [email protected]> wrote:
>
> Hey Everybody,
>
>
>
> Been struggling trying to get SNI to work with health checks, even using
> 1.6 and a server configuration of this:
>
>
>
> dev05 192.168.1.10:443 check ssl verify none sni str(www.mysite.com)
>
>
>
> It will still not send the SNI information to the backend server during
> health checks.
>
>
>
>
>
> Am I missing some additional options here? Or is this unsupported in 1.6?
> Is this slated for 1.7?
>
>
> Thanks!
>
> William Roush
>
> [email protected]
>
>
>
> *http://www.roushtech.net/ <http://www.roushtech.net/>*
>
>
>
