Thanks Lukas for the reply. Regarding the second part of your reply:
Then do I need to use like this? use_backend backend_site1 if { ssl_fc_sni site1 } use_backend backend_site2 if { ssl_fc_sni site2 } Because to minimize the admin overhead, do I need to add a new scl every time if I add a new SSL cert? For all the certs, I have one common back-end. Appreciate your reply Kind Regards Roshan On Thu, Dec 29, 2016 at 8:22 AM, Lukas Tribus <lu...@gmx.net> wrote: > Hi Roshan, > > > Am 28.12.2016 um 13:11 schrieb Roshan Pradeep: > >> Hi Guys >> >> Trying implement SNI with HAProxy 1.6 version. >> >> How I want is: >> 1. Load all the certs to a directory as pem format (one site cert chain >> in one file). So there are multiple files (may be 20-30 pem files in the >> folder) >> >> 2. Configure HAProxy to dynamically load the appropriate ssl cert based >> on the SNI header. >> >> Below is my front end. Any idea? >> >> frontend sni-https >> bind 0.0.0.0:443 <http://0.0.0.0:443> ssl crt /etc/haproxy/ssl/ >> > > Yes, that's it. > > > mode http >> tcp-request inspect-delay 5s >> tcp-request content accept if { req_ssl_hello_type 1 } >> use_backend sni_web_server if { req_ssl_sni -m found } >> default_backend no_sni >> > > Nope, not like this. When you are deciphering SSL on haproxy (as opposed to > TCP passthrough), you have to use ssl_fc_sni in your ACL [1]. Also > "tcp-request" > is not necessary. > > > Lukas > > > > [1] https://cbonte.github.io/haproxy-dconv/1.6/configuration. > html#7.3.4-ssl_fc_sni > -- Roshan Pradeep Senior DevOps Engineer Whispir <http://www.whispir.com> Level 30 360 Collins Street Melbourne / Victoria 3000 / Australia GPO Box 130 / Victoria 3001 / Australia *T* +61 3 8630 9900 / *M* +61 428 419 313 *F* +61 3 8630 9990 / *E* rprad...@whispir.com 1300 WHISPIR / 1300 944 774 Watch how to: Simply Communicate with Whispir <https://vimeo.com/71548787> & Discover our platform <https://vimeo.com/143820818> Follow Whispir on Twitter <https://twitter.com/Whispir> -- This communication contains information which is confidential and the copyright of Whispir or a third party. If you have received this email in error please notify us by return email or telephone Whispir on +613 8630 9900 and delete the document and delete all copies immediately. If you are the intended recipient of this communication you should not copy, disclose or distribute this communication without the authority of Whispir. Any views expressed in this Communication are those of the individual sender, except where the sender specifically states them to be the views of Whispir. Except as required at law, Whispir does not represent, warrant and/or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors,virus, interception or interference.