Hello all! As the subject anticipates, I have (on HAProxy 1.8.14) the following setup: * an "upstream" HAProxy instance listening both on HTTP and HTTPS, which sends to a beckend that has configured `send-proxy-v2-ssl`; * a "downstream" HAProxy instance listening with `accept-proxy`;
Apparently the `ssl_fc` on the downstream HAProxy is always set to false even though the original request originates over TLS, and the PROXY v2 protocol seems to correctly contain this information as seen from the network capture bellow. ~~~~ 00000000 0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a 21 11 00 23 .......Q UIT.!..# 00000010 4f 76 0a b9 55 5a f4 f9 d9 ea 01 bb 01 00 02 68 Ov..UZ.. .......h 00000020 32 20 00 0f 01 00 00 00 00 21 00 07 54 4c 53 76 2 ...... .!..TLSv 00000030 31 2e 32 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 1.2GET / HTTP/1. 00000040 31 0d 0a 75 73 65 72 2d 61 67 65 6e 74 3a 20 63 1..user- agent: c 00000050 75 72 6c 2f 37 2e 36 33 2e 30 0d 0a 61 63 63 65 url/7.63 .0 ~~~~ Thus my question is if `ssl_fc` is set to true only if the "current" transport is actually over TLS? And my second question, is there an ACL that evaluates to true if the PROXY v2 protocol was used, and the TLS is present in the meta-data. (I can obviously use the frontend port, which is correctly configured to 443, to bypass `ssl_fc`, however I was looking for a more "definitive" solution.) Thanks, Ciprian.
