Hello!
On Thu, 16 May 2019 at 18:37, Aleksandar Lazic <al-hapr...@none.at> wrote:
>
> Hi.
>
> I use the following lines:
>
> use_backend xmppc2s-backend if { req.ssl_sni -i domain.im }
> use_backend cloud-hop-backend if { ssl_fc_sni -i cloud.domain.at }
>
> and asked myself which one is the recommended line?
Those are 2 different things I believe are clearly and verbosely
explained in the docs, even specifically mentioning the difference
between each other:
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-req.ssl_sni
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc_sni
In short: one parses the TCP buffer for the SNI value (when
transparently passing through TLS traffic without local termination)
and one extracts the value from the OpenSSL API (when terminating
TLS).
> Makes this lines sense?
> tcp-request content accept if { ssl_fc_sni 1 }
Probably not.
Not sure why you'd expect this value to be 1?
Regards,
lukas
