Re: HAProxy and Apache reverse proxy with TLS passthrough
On Thu, Sep 3, 2020 at 15:40 Илья Шипицин wrote: > seems, you are talking about SNI routing. i.e. L7 routing based on server > name extension sent in SSL Client Helo. > > will the following work for you ? > > https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ > It looks like it has a good chance. Thank you very much Best regards, -Tom
Re: HAProxy and Apache reverse proxy with TLS passthrough
seems, you are talking about SNI routing. i.e. L7 routing based on server name extension sent in SSL Client Helo. will the following work for you ? https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ чт, 3 сент. 2020 г. в 00:42, Tom Browder : > I'm trying to cobble together the following https data flow: > > <== public internet ==> > > A. a single IPv4 Apache server with multiple virtual hosts > identified by SNI > > 1. for each virtual host with its unique domain: > > a. use Apache's managed domain capability to get > and keep current a Letsencrypt TLS cert > b. have a reverse proxy to a backend TLS server (with > passthrough TLS) identified by a unique port number > on the local host > > <== reverse proxy ==> > > 2. for each unique backend server > > a. respond to public domain https requests > b. serve both static and dynamic content back > to the public client > > Notes: > > 1. Each virtual host is defined in a single Apache macro. > 2. I have Apache running apparently successfully up to the > ProxyPass and ProxyReverse point but cannot get a > valid connection. > 3. I can get the scenario to work in a non-TLS environment. > 4. The solutions I've seen with Nginx and Caddy require > wildcard certs or unique IPs, neither of which will > work for me in my current understanding of Apache. > > Questions: > > 1. Is this TLS scenario theoretically possible? > 2. If so, can HAProxy help make it happen? > 3. What are my options for the backend server? > I have seen very little discussion of that > except in vague terms of a "dynamic > server" (for which I plan to use a Raku > language server called Cro). > > Thanks for any help. > > Best regards, > > -Tom > >
HAProxy and Apache reverse proxy with TLS passthrough
I'm trying to cobble together the following https data flow: <== public internet ==> A. a single IPv4 Apache server with multiple virtual hosts identified by SNI 1. for each virtual host with its unique domain: a. use Apache's managed domain capability to get and keep current a Letsencrypt TLS cert b. have a reverse proxy to a backend TLS server (with passthrough TLS) identified by a unique port number on the local host <== reverse proxy ==> 2. for each unique backend server a. respond to public domain https requests b. serve both static and dynamic content back to the public client Notes: 1. Each virtual host is defined in a single Apache macro. 2. I have Apache running apparently successfully up to the ProxyPass and ProxyReverse point but cannot get a valid connection. 3. I can get the scenario to work in a non-TLS environment. 4. The solutions I've seen with Nginx and Caddy require wildcard certs or unique IPs, neither of which will work for me in my current understanding of Apache. Questions: 1. Is this TLS scenario theoretically possible? 2. If so, can HAProxy help make it happen? 3. What are my options for the backend server? I have seen very little discussion of that except in vague terms of a "dynamic server" (for which I plan to use a Raku language server called Cro). Thanks for any help. Best regards, -Tom
