I'd like to configure haproxy to listen on a single IP address and port
443.  Based on the SNI information of the incoming connections, I'd like to
terminate some of the SSL connections on the proxy and send plain HTTP
requests to the backend.  For other domain names, however, I'd like to
operate in TCP mode and simply cut through the connection to the backend,
wihtout decrypting the traffic.

The only solution I managed to cook up after some experimentation involves
looping back to haproxy itself:

frontend fe_https_dispatch
    bind *:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }
    use_backend be_lets_encrypt if { req.ssl_sni -m end .acme.invalid }
    default_backend be_https_loopback

backend be_lets_encrypt
    mode tcp
    server srv_lets_encrypt

backend be_https_loopback
    mode tcp
    server srv_https_loopback

frontend fe_https_loopback
    bind *:36427 ssl crt /etc/ssl/certs/ strict-sni
    mode http
    use_backend be_foo if { req.ssl_sni -i foo.example.com }
    use_backend be_bar if { req.ssl_sni -i bar.example.com }

[… backend definitions of be_foo and be_bar …]

This feels like a hack, and I also wonder whether this has performance
implications, since each request is parsed twice by haproxy.  Is there any
way to achieve this without looping back to haproxy?


Reply via email to