Hi Willy, Christopher,

Do you perhaps have a small update about the "[PATCH] MAJOR: ssl: add 'tcp-fallback' bind option for SSL listeners" ? I've not seen any new information about it for a while, will it come with 1.7devX ? Or should there first be a solid http/2 implementation before expecting this feature.?

On the mailinglist above mentioned patch was posted 11march2016 that made this kind of feature possible. I 'think' it should still be possible to apply most of it it against current version sources just need to change the two flags x2.

Thanks as always,

Op 21-9-2016 om 17:52 schreef Sven Marnach:

I'd like to configure haproxy to listen on a single IP address and port 443. Based on the SNI information of the incoming connections, I'd like to terminate some of the SSL connections on the proxy and send plain HTTP requests to the backend. For other domain names, however, I'd like to operate in TCP mode and simply cut through the connection to the backend, wihtout decrypting the traffic.

The only solution I managed to cook up after some experimentation involves looping back to haproxy itself:

frontend fe_https_dispatch
    bind *:443
    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }
    use_backend be_lets_encrypt if { req.ssl_sni -m end .acme.invalid }
    default_backend be_https_loopback

backend be_lets_encrypt
    mode tcp
    server srv_lets_encrypt <>

backend be_https_loopback
    mode tcp
    server srv_https_loopback <>

frontend fe_https_loopback
    bind *:36427 ssl crt /etc/ssl/certs/ strict-sni
    mode http
use_backend be_foo if { req.ssl_sni -i foo.example.com <http://foo.example.com> } use_backend be_bar if { req.ssl_sni -i bar.example.com <http://bar.example.com> }

[… backend definitions of be_foo and be_bar …]

This feels like a hack, and I also wonder whether this has performance implications, since each request is parsed twice by haproxy. Is there any way to achieve this without looping back to haproxy?


Reply via email to