> Le 27 sept. 2019 à 12:23, Geoff Simmons <ge...@uplex.de> a écrit :
> On 9/26/19 19:27, Emmanuel Hocdet wrote:
>>> And I wonder if there are situations in which someone will want to
>>> specifically choose one source of truth for authority over the other.
>>> Suppose an incoming connection uses TLS with an SNI, and the peer
>>> component also sends an authority TLV via Proxy. Is a situation
>>> imaginable in which only one of them is getting it "right", for the
>>> purposes of haproxy, and the config author wants to be sure to catch
>>> that one only?
>> You can with the sample fetch from transport layer, « ssl_fc_sni » for TLS.
> Then if I understand correctly:
> - when you prefer the authority value from TLS, use the ssl_fc_sni fetch

yes, or fix authority value with  tcp-request content set-authority ssl_fc_sni

> - if you prefer the value from the Proxy TLV, just use the authority
> fetch, since that one prefers the TLV over the value from TLS, according
> to the rules described above.
> Is that right?



Reply via email to