Hi, Proposal reworking after playing with « authority » and look at how « src »/« dst » are working. Authority » can come from transport layer (TLS), ProxyV2 TLV or « set-authority ». « src/dst » is set from transport layer (TCP), overwrite by Proxy-protocol and « set-{src,dst} » I propose to do the same for « authority » sample fetch: pick « authority » from « set-authority, Proxy-protocol, and transport layer (in this order) . It’s already what authority is in « proxy-v2-options authority" => « fc_pp_authority » disappears in favour of the generic « authority » sample fetch Example: listen offload mode tcp bind :80 bind :443 ssl crt-list /etc/haproxy/crtbindlist.cfg server bla 127.0.0.1:8080 send-proxy-v2 proxy-v2-options authority listen onload mode tcp bind 127.0.0.1:8080 accept-proxy acl has_authority authority -m found tcp-request inspect-delay 5s tcp-request content set-authority hdr(Host),lower if !has_authority tcp-request content reject if !has_authority server srvssl 0.0.0.0:443 ssl verify none sni authority Note: in case of: tcp-request connection set-authority str(authbla) « authority » is set before ProxyV2, and will be overwritten by TLV authority. Included my patch for that proposal. (could be split with comments from this mail) ++ Manu |
0001-MINOR-connection-add-set-authority-and-normalize-aut.patch
Description: Binary data