Re: SNI with multiple SSL certs

2016-12-28 Thread Lukas Tribus 

Hello,


Am 28.12.2016 um 22:33 schrieb Roshan Pradeep:

Thanks Lukas for the reply.

Regarding the second part of your reply:

Then do I need to use like this?

use_backend backend_site1 if { ssl_fc_sni site1 } use_backend 
backend_site2 if { ssl_fc_sni site2 }
Because to minimize the admin overhead, do I need to add a new scl 
every time if I add a new SSL cert?

For all the certs, I have one common back-end. Appreciate your reply


You don't need the second part at all then. Just use a single default 
backend.



Lukas

Re: SNI with multiple SSL certs

2016-12-28 Thread Roshan Pradeep 
Thanks Lukas for the reply.

Regarding the second part of your reply:

Then do I need to use like this?

use_backend backend_site1 if { ssl_fc_sni site1 } use_backend backend_site2
if { ssl_fc_sni site2 }

Because to minimize the admin overhead, do I need to add a new scl every
time if I add a new SSL cert?

For all the certs, I have one common back-end. Appreciate your reply

Kind Regards

Roshan

On Thu, Dec 29, 2016 at 8:22 AM, Lukas Tribus  wrote:

> Hi Roshan,
>
>
> Am 28.12.2016 um 13:11 schrieb Roshan Pradeep:
>
>> Hi Guys
>>
>> Trying implement SNI with HAProxy 1.6 version.
>>
>> How I want is:
>> 1. Load all the certs to a directory as pem format (one site cert chain
>> in one file). So there are multiple files (may be 20-30 pem files in the
>> folder)
>>
>> 2. Configure HAProxy to dynamically load the appropriate ssl cert based
>> on the SNI header.
>>
>> Below is my front end. Any idea?
>>
>> frontend sni-https
>> bind 0.0.0.0:443  ssl crt /etc/haproxy/ssl/
>>
>
> Yes, that's it.
>
>
> mode http
>> tcp-request  inspect-delay 5s
>> tcp-request content accept if { req_ssl_hello_type 1 }
>> use_backend sni_web_server if { req_ssl_sni -m found }
>> default_backend no_sni
>>
>
> Nope, not like this. When you are deciphering SSL on haproxy (as opposed to
> TCP passthrough), you have to use ssl_fc_sni in your ACL [1]. Also
> "tcp-request"
> is not necessary.
>
>
> Lukas
>
>
>
> [1] https://cbonte.github.io/haproxy-dconv/1.6/configuration.
> html#7.3.4-ssl_fc_sni
>



-- 



​Roshan Pradeep
Senior DevOps Engineer ​

Whispir 

Level 30 360 Collins Street
Melbourne / Victoria 3000 / Australia
GPO Box 130 / Victoria 3001 / Australia
*T* +61 3 8630 9900 / *M* +61 428 419 313
*F* +61 3 8630 9990 / *E* rprad...@whispir.com
1300 WHISPIR / 1300 944 774 ​

​Watch how to: Simply Communicate with Whispir 
& Discover our platform 
Follow Whispir on Twitter 

​

-- 
This communication contains information which is confidential and the 
copyright of Whispir or a third party. If you have received this email in 
error please notify us by return email or telephone Whispir on +613 8630 
9900 and delete the document and delete all copies immediately. If you are 
the intended recipient of this communication you should not copy, disclose 
or distribute this communication without the authority of Whispir. Any 
views expressed in this Communication are those of the individual sender, 
except where the sender specifically states them to be the views of 
Whispir. Except as required at law, Whispir does not represent, warrant 
and/or guarantee that the integrity of this communication has been 
maintained nor that the communication is free of errors,virus, interception 
or interference.

Re: SNI with multiple SSL certs

2016-12-28 Thread Lukas Tribus 

Hi Roshan,


Am 28.12.2016 um 13:11 schrieb Roshan Pradeep:

Hi Guys

Trying implement SNI with HAProxy 1.6 version.

How I want is:
1. Load all the certs to a directory as pem format (one site cert 
chain in one file). So there are multiple files (may be 20-30 pem 
files in the folder)


2. Configure HAProxy to dynamically load the appropriate ssl cert 
based on the SNI header.


Below is my front end. Any idea?

frontend sni-https
bind 0.0.0.0:443  ssl crt /etc/haproxy/ssl/


Yes, that's it.



mode http
tcp-request  inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend sni_web_server if { req_ssl_sni -m found }
default_backend no_sni


Nope, not like this. When you are deciphering SSL on haproxy (as opposed to
TCP passthrough), you have to use ssl_fc_sni in your ACL [1]. Also 
"tcp-request"

is not necessary.


Lukas



[1] 
https://cbonte.github.io/haproxy-dconv/1.6/configuration.html#7.3.4-ssl_fc_sni

SNI with multiple SSL certs

2016-12-28 Thread Roshan Pradeep 
Hi Guys

Trying implement SNI with HAProxy 1.6 version.

How I want is:
1. Load all the certs to a directory as pem format (one site cert chain in
one file). So there are multiple files (may be 20-30 pem files in the
folder)

2. Configure HAProxy to dynamically load the appropriate ssl cert based on
the SNI header.

Below is my front end. Any idea?

frontend sni-https
bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl/

mode http
  tcp-request  inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend sni_web_server if { req_ssl_sni -m found }
  default_backend no_sni

Thanks

Roshan

​

-- 
This communication contains information which is confidential and the 
copyright of Whispir or a third party. If you have received this email in 
error please notify us by return email or telephone Whispir on +613 8630 
9900 and delete the document and delete all copies immediately. If you are 
the intended recipient of this communication you should not copy, disclose 
or distribute this communication without the authority of Whispir. Any 
views expressed in this Communication are those of the individual sender, 
except where the sender specifically states them to be the views of 
Whispir. Except as required at law, Whispir does not represent, warrant 
and/or guarantee that the integrity of this communication has been 
maintained nor that the communication is free of errors,virus, interception 
or interference.