Hi Roshan,
Am 28.12.2016 um 13:11 schrieb Roshan Pradeep:
Hi Guys
Trying implement SNI with HAProxy 1.6 version.
How I want is:
1. Load all the certs to a directory as pem format (one site cert
chain in one file). So there are multiple files (may be 20-30 pem
files in the folder)
2. Configure HAProxy to dynamically load the appropriate ssl cert
based on the SNI header.
Below is my front end. Any idea?
frontend sni-https
bind 0.0.0.0:443 <http://0.0.0.0:443> ssl crt /etc/haproxy/ssl/
Yes, that's it.
mode http
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend sni_web_server if { req_ssl_sni -m found }
default_backend no_sni
Nope, not like this. When you are deciphering SSL on haproxy (as opposed to
TCP passthrough), you have to use ssl_fc_sni in your ACL [1]. Also
"tcp-request"
is not necessary.
Lukas
[1]
https://cbonte.github.io/haproxy-dconv/1.6/configuration.html#7.3.4-ssl_fc_sni
