Hi Vincent,
On Mon, Apr 23, 2018 at 02:38:32PM +0000, GALLISSOT VINCENT wrote:
> Hi all,
>
>
> I want to use SNI with httpchk on HAProxy 1.7.10 to connect to CloudFront
> distributions as backend servers.
>
> I saw in this mailing-list archives that SNI is not used by default even when
> using the ssl directive.
>
> We don't pay for SNI on that distribution, that means CloudFront doesn't
> provide a certificate on its default vhost.
>
> Because of that, all healthchecks fail with "handshake failure".
>
>
> I temporarily by-passed the issue by adding "port 80" to allow healthchecks
> over HTTP:
>
>
> option httpchk HEAD /check HTTP/1.1\r\nHost:\
> mydistribution.cloudfront.net
> server mydistribution mydistribution.cloudfront.net:443 check resolvers
> mydns port 80 cookie no-sslv3 ssl verify required ca-file ca-certificates.crt
>
>
> Does anybody know how can I use healthchecks over HTTPS with SNI support ?
>
Prior to 1.8 if you want SNI in the health checks you have to use something
along these lines:
backend moo
mode http
option httpchk GET / HTTP/1.0
server s1 my.example.host:443 check addr 127.0.0.1 port 1234 ssl sni
str("my.example.host")
listen foo
bind 127.0.0.1:1234
server s1 my.example.host:443 sni str("my.example.host") ssl
That's because sni keyword only applies to proxied traffic, and not checks, so
you check through a listener that will add the sni.
With 1.8 and later, you just use check-sni <sni> on server lines.
cheers,
Jérôme
