Hi Patrick, On Mon, Dec 26, 2016 at 11:35:51PM +0000, Patrick Hemmer wrote: > On 2016/12/23 09:28, Arnall wrote: > > I though that send-proxy-v2-ssl could help but i have no idea how ... > > src and src_port are OK with the proxy protocol but ssl_fc in > > web_plain keeps answering false ( 0 ) even the request come from > > web_tls. > > This use case has come up a few times: > https://www.mail-archive.com/haproxy@formilux.org/msg23882.html > My crude solution is an ACL check on the port the client connected to > (dst_port eq 443).
I think for next version we need to work a bit more on how we deal with connections received using the proxy protocol. While we can emit *some* information, we only use the family/address/port of what we receive and that's a bit limited regarding the amount of information we can extract from a regular connection. I think we'll need to be able to keep at least : - the transport layer protocol (SSL/TLS version) - the transport layer ciphers - the transport layer authority (ie SNI for TLS) - the application layer protocol (NPN/ALPN) Probably that we'll have to store more info (cf Bertrand's proxy-addr patch set) and that we'll want to have a dynamic proxy-protocol part in the connection to store all this. But anyway that's definitely something we need to think about so that someone can work on it. Cheers, Willy
