Le 27/12/2016 à 00:35, Patrick Hemmer a écrit :
On 2016/12/23 09:28, Arnall wrote:
Hi everyone,
i'm using a nbproc > 1 configuration for ssl offloading :
listen web_tls
mode http
bind *:443 ssl crt whatever.pem process 2
bind *:443 ssl crt whatever.pem process 3
../..
server web_plain u...@plain.sock send-proxy-v2-ssl
frontend web_plain
bind *:80 process 1
bind u...@plain.sock process 1 accept-proxy
../..
And i'm looking for a secure solution in the web_plain frontend to
know if the request come from web_tls or not ( in fact i want to know
if the connection was initially made via SSL/TLS transport ).
I though that send-proxy-v2-ssl could help but i have no idea how ...
src and src_port are OK with the proxy protocol but ssl_fc in
web_plain keeps answering false ( 0 ) even the request come from
web_tls.
I could set and forward a secret header set in web_tls but i don't
like the idea ... (have to change the header each time an admin sys
leave the enterprise... )
Thanks.
This use case has come up a few times:
https://www.mail-archive.com/haproxy@formilux.org/msg23882.html
My crude solution is an ACL check on the port the client connected to
(dst_port eq 443).
-Patrick
Thanks for the answer and happy new year !