On Fri, Apr 27, 2018 at 06:39:07AM +0200, Willy Tarreau wrote:
> I think that a few operators like strcmp() and concat() should be
> implemented to cover the short-term needs.
I forgot that I finally implemented concat() after talking about it for
about a year :-) It is a good starting point to
Hi Tim,
On Fri, Apr 27, 2018 at 12:16:15AM +0200, Tim Düsterhus wrote:
> The solution I got from "Holger Just" was:
>
> > http-request set-header X-CHECKSNI %[req.hdr(host)]==%[ssl_fc_sni] if
> > { ssl_fc_has_sni }
> > http-request deny if { ssl_fc_has_sni } ! {
>
Hi Lukas,
On Fri, Apr 27, 2018 at 01:56:42AM +0200, Lukas Tribus wrote:
> Hello Willy,
>
>
> On 25 April 2018 at 12:16, Willy Tarreau wrote:
> >> I'm not even sure that differentiate "Host" header from SNI values is
> >> possible on softwares like Nginx or Apache.
> >
> > It
Hello Willy,
On 25 April 2018 at 12:16, Willy Tarreau wrote:
>> I'm not even sure that differentiate "Host" header from SNI values is
>> possible on softwares like Nginx or Apache.
>
> It should not, that would be a violation of HTTP over TLS.
I think I disagree.
This is very
Willy,
Am 25.04.2018 um 12:16 schrieb Willy Tarreau:
> On Wed, Apr 25, 2018 at 09:48:13AM +, GALLISSOT VINCENT wrote:
>> I don't see a case were one would define a different check-sni or sni values
>> from the "Host" header.
>
> It definitely must match in HTTP. *snip*
>
>> I'm not even
> It definitely must match in HTTP. However there's nothing making it mandatory
> to send HTTP checks, let alone a Host header field (eg: if sending a simple
> HTTP/1.0 request). However I'm noting the comment, because once we're able
> to more easily configure the HTTP checks, we could imagine
On Wed, Apr 25, 2018 at 09:48:13AM +, GALLISSOT VINCENT wrote:
> I don't see a case were one would define a different check-sni or sni values
> from the "Host" header.
It definitely must match in HTTP. However there's nothing making it mandatory
to send HTTP checks, let alone a Host header
: Jonathan Matthews
Cc : GALLISSOT VINCENT; Lukas Tribus; haproxy@formilux.org
Objet : Re: Use SNI with healthchecks
On Tue, Apr 24, 2018 at 06:50:13PM +, Jonathan Matthews wrote:
> [Top post; fight me]
Grrr
> You could either read an environment variable inherited from outside the
On Tue, Apr 24, 2018 at 06:50:13PM +, Jonathan Matthews wrote:
> [Top post; fight me]
Grrr
> You could either read an environment variable inherited from outside the
> process, or use "setenv" or "presetenv" as appropriate to DRY your config
> out.
>
> The fine manual describes how you
t)] for "option httpchk" nor for
> "check-sni" directives.
>
>
> Do you know how can I define only one time my Host header in the code
> above ?
>
>
> Thanks,
>
> Vincent
>
>
> ----------
> *De :* GALLISSOT VINCENT
> *Env
ISSOT VINCENT
Envoyé : lundi 23 avril 2018 17:33
À : Lukas Tribus
Cc : haproxy@formilux.org
Objet : RE: Use SNI with healthchecks
Thank you very much for your answers,
I'll migrate to 1.8 asap to fix this.
Vincent
De : lu...@ltri.eu <lu...@ltri.eu> de l
Hello Vincent,
On 23 April 2018 at 16:38, GALLISSOT VINCENT wrote:
> Does anybody know how can I use healthchecks over HTTPS with SNI support ?
You need haproxy 1.8 for this, it contains the check-sni directive
which allows to set SNI to a specific string for the
Hi Vincent,
On Mon, Apr 23, 2018 at 02:38:32PM +, GALLISSOT VINCENT wrote:
> Hi all,
>
>
> I want to use SNI with httpchk on HAProxy 1.7.10 to connect to CloudFront
> distributions as backend servers.
>
> I saw in this mailing-list archives that SNI is not used by default even when
>
Hi all,
I want to use SNI with httpchk on HAProxy 1.7.10 to connect to CloudFront
distributions as backend servers.
I saw in this mailing-list archives that SNI is not used by default even when
using the ssl directive.
We don't pay for SNI on that distribution, that means CloudFront doesn't
14 matches
Mail list logo