> Le 27 sept. 2019 à 12:23, Geoff Simmons <ge...@uplex.de> a écrit : > > On 9/26/19 19:27, Emmanuel Hocdet wrote: > >>> And I wonder if there are situations in which someone will want to >>> specifically choose one source of truth for authority over the other. >>> Suppose an incoming connection uses TLS with an SNI, and the peer >>> component also sends an authority TLV via Proxy. Is a situation >>> imaginable in which only one of them is getting it "right", for the >>> purposes of haproxy, and the config author wants to be sure to catch >>> that one only? >> >> You can with the sample fetch from transport layer, « ssl_fc_sni » for TLS. > > Then if I understand correctly: > > - when you prefer the authority value from TLS, use the ssl_fc_sni fetch >
yes, or fix authority value with tcp-request content set-authority ssl_fc_sni > - if you prefer the value from the Proxy TLV, just use the authority > fetch, since that one prefers the TLV over the value from TLS, according > to the rules described above. > > Is that right? > yes ++ Manu