Re: ssl_fc_sni vs req.ssl_sni

Fri, 17 May 2019 07:43:22 -0700 

Hi.

Looks like my last mail was not passed to the list.

Am 16.05.2019 um 22:27 schrieb Lukas Tribus:
> Hello!
>
>
> On Thu, 16 May 2019 at 18:37, Aleksandar Lazic <al-hapr...@none.at> wrote:
>>
>> Hi.
>>
>> I use the following lines:
>>
>>     use_backend xmppc2s-backend if { req.ssl_sni  -i domain.im }
>>     use_backend cloud-hop-backend if { ssl_fc_sni -i cloud.domain.at }
>>
>> and asked myself which one is the recommended line?
>
> Those are 2 different things I believe are clearly and verbosely
> explained in the docs, even specifically mentioning the difference
> between each other:
>
> https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.5-req.ssl_sni
> https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc_sni
>
> In short: one parses the TCP buffer for the SNI value (when
> transparently passing through TLS traffic without local termination)
> and one extracts the value from the OpenSSL API (when terminating
> TLS).

Thanks, it helps to talk about ;-)

>> Makes this lines sense?
>>     tcp-request content accept if { ssl_fc_sni 1 }
>
> Probably not.
>
> Not sure why you'd expect this value to be 1?

Because I don't have understood what this variable is for.

After some reading and testing I have created that config file.

https://gist.github.com/git001/73d1b7bcc3813ba40028c887e4f3e7f6

>From my understanding is the workflow like this, it this right.

```
client -> tcp listener reads req.ssl_sni. NO TLS handling ->
       -> req.ssl_sni MyDomain.im -> go to be_sni_xmpp/fe_sn_xmpp ->
          -> handle tls from client => connect to server handle server TLS
       -> default backend -> go to be_sni/fe_sni ->
          -> handle tls from client => talk to backends
```

The requirement is to run haproxy on 443 and route to http backends (nextcould
and mod_upload of ejaberd) and tcp backend (xmpp tls direct).

I wanted to use in `frontend https-in` `alpn h2,http/1.1` but the nextcloud
apache uses http/1 and therefore the server in `backend nextcloud-backend`
failed to serve the http traffic.

I use haproxy 1.9.7 which will be updated soon

The configfile works but it would be nice to have some feedback if the config is
state of the art and the config is setuped as designed, thank you for any 
feedback.

Best regards
Aleks

Reply via email to