Thanks Lukas for the reply.
Regarding the second part of your reply:
Then do I need to use like this?
use_backend backend_site1 if { ssl_fc_sni site1 } use_backend backend_site2
if { ssl_fc_sni site2 }
Because to minimize the admin overhead, do I need to add a new scl every
time if I add a new SSL cert?
For all the certs, I have one common back-end. Appreciate your reply
Kind Regards
Roshan
On Thu, Dec 29, 2016 at 8:22 AM, Lukas Tribus <lu...@gmx.net> wrote:
> Hi Roshan,
>
>
> Am 28.12.2016 um 13:11 schrieb Roshan Pradeep:
>
>> Hi Guys
>>
>> Trying implement SNI with HAProxy 1.6 version.
>>
>> How I want is:
>> 1. Load all the certs to a directory as pem format (one site cert chain
>> in one file). So there are multiple files (may be 20-30 pem files in the
>> folder)
>>
>> 2. Configure HAProxy to dynamically load the appropriate ssl cert based
>> on the SNI header.
>>
>> Below is my front end. Any idea?
>>
>> frontend sni-https
>> bind 0.0.0.0:443 <http://0.0.0.0:443> ssl crt /etc/haproxy/ssl/
>>
>
> Yes, that's it.
>
>
> mode http
>> tcp-request inspect-delay 5s
>> tcp-request content accept if { req_ssl_hello_type 1 }
>> use_backend sni_web_server if { req_ssl_sni -m found }
>> default_backend no_sni
>>
>
> Nope, not like this. When you are deciphering SSL on haproxy (as opposed to
> TCP passthrough), you have to use ssl_fc_sni in your ACL [1]. Also
> "tcp-request"
> is not necessary.
>
>
> Lukas
>
>
>
> [1] https://cbonte.github.io/haproxy-dconv/1.6/configuration.
> html#7.3.4-ssl_fc_sni
>
--
Roshan Pradeep
Senior DevOps Engineer
Whispir <http://www.whispir.com>
Level 30 360 Collins Street
Melbourne / Victoria 3000 / Australia
GPO Box 130 / Victoria 3001 / Australia
*T* +61 3 8630 9900 / *M* +61 428 419 313
*F* +61 3 8630 9990 / *E* rprad...@whispir.com
1300 WHISPIR / 1300 944 774
Watch how to: Simply Communicate with Whispir <https://vimeo.com/71548787>
& Discover our platform <https://vimeo.com/143820818>
Follow Whispir on Twitter <https://twitter.com/Whispir>
--
This communication contains information which is confidential and the
copyright of Whispir or a third party. If you have received this email in
error please notify us by return email or telephone Whispir on +613 8630
9900 and delete the document and delete all copies immediately. If you are
the intended recipient of this communication you should not copy, disclose
or distribute this communication without the authority of Whispir. Any
views expressed in this Communication are those of the individual sender,
except where the sender specifically states them to be the views of
Whispir. Except as required at law, Whispir does not represent, warrant
and/or guarantee that the integrity of this communication has been
maintained nor that the communication is free of errors,virus, interception
or interference.
