Re: Use SNI with healthchecks

2018-04-26 Thread Willy Tarreau
On Fri, Apr 27, 2018 at 06:39:07AM +0200, Willy Tarreau wrote: > I think that a few operators like strcmp() and concat() should be > implemented to cover the short-term needs. I forgot that I finally implemented concat() after talking about it for about a year :-) It is a good starting point to

Re: Use SNI with healthchecks

2018-04-26 Thread Willy Tarreau
Hi Tim, On Fri, Apr 27, 2018 at 12:16:15AM +0200, Tim Düsterhus wrote: > The solution I got from "Holger Just" was: > > > http-request set-header X-CHECKSNI %[req.hdr(host)]==%[ssl_fc_sni] if > > { ssl_fc_has_sni } > > http-request deny if { ssl_fc_has_sni } ! { >

Re: Use SNI with healthchecks

2018-04-26 Thread Willy Tarreau
Hi Lukas, On Fri, Apr 27, 2018 at 01:56:42AM +0200, Lukas Tribus wrote: > Hello Willy, > > > On 25 April 2018 at 12:16, Willy Tarreau wrote: > >> I'm not even sure that differentiate "Host" header from SNI values is > >> possible on softwares like Nginx or Apache. > > > > It

Re: Use SNI with healthchecks

2018-04-26 Thread Lukas Tribus
Hello Willy, On 25 April 2018 at 12:16, Willy Tarreau wrote: >> I'm not even sure that differentiate "Host" header from SNI values is >> possible on softwares like Nginx or Apache. > > It should not, that would be a violation of HTTP over TLS. I think I disagree. This is very

Re: Use SNI with healthchecks

2018-04-26 Thread Tim Düsterhus
Willy, Am 25.04.2018 um 12:16 schrieb Willy Tarreau: > On Wed, Apr 25, 2018 at 09:48:13AM +, GALLISSOT VINCENT wrote: >> I don't see a case were one would define a different check-sni or sni values >> from the "Host" header. > > It definitely must match in HTTP. *snip* > >> I'm not even

RE: Use SNI with healthchecks

2018-04-25 Thread GALLISSOT VINCENT
> It definitely must match in HTTP. However there's nothing making it mandatory > to send HTTP checks, let alone a Host header field (eg: if sending a simple > HTTP/1.0 request). However I'm noting the comment, because once we're able > to more easily configure the HTTP checks, we could imagine

Re: Use SNI with healthchecks

2018-04-25 Thread Willy Tarreau
On Wed, Apr 25, 2018 at 09:48:13AM +, GALLISSOT VINCENT wrote: > I don't see a case were one would define a different check-sni or sni values > from the "Host" header. It definitely must match in HTTP. However there's nothing making it mandatory to send HTTP checks, let alone a Host header

RE: Use SNI with healthchecks

2018-04-25 Thread GALLISSOT VINCENT
: Jonathan Matthews Cc : GALLISSOT VINCENT; Lukas Tribus; haproxy@formilux.org Objet : Re: Use SNI with healthchecks On Tue, Apr 24, 2018 at 06:50:13PM +, Jonathan Matthews wrote: > [Top post; fight me] Grrr > You could either read an environment variable inherited from outside the

Re: Use SNI with healthchecks

2018-04-25 Thread Willy Tarreau
On Tue, Apr 24, 2018 at 06:50:13PM +, Jonathan Matthews wrote: > [Top post; fight me] Grrr > You could either read an environment variable inherited from outside the > process, or use "setenv" or "presetenv" as appropriate to DRY your config > out. > > The fine manual describes how you

Re: Use SNI with healthchecks

2018-04-24 Thread Jonathan Matthews
t)] for "option httpchk" nor for > "check-sni" directives. > > > Do you know how can I define only one time my Host header in the code > above ? > > > Thanks, > > Vincent > > > ---------- > *De :* GALLISSOT VINCENT > *Env

RE: Use SNI with healthchecks

2018-04-24 Thread GALLISSOT VINCENT
ISSOT VINCENT Envoyé : lundi 23 avril 2018 17:33 À : Lukas Tribus Cc : haproxy@formilux.org Objet : RE: Use SNI with healthchecks Thank you very much for your answers, I'll migrate to 1.8 asap to fix this. Vincent De : lu...@ltri.eu <lu...@ltri.eu> de l

Re: Use SNI with healthchecks

2018-04-23 Thread Lukas Tribus
Hello Vincent, On 23 April 2018 at 16:38, GALLISSOT VINCENT wrote: > Does anybody know how can I use healthchecks over HTTPS with SNI support ? You need haproxy 1.8 for this, it contains the check-sni directive which allows to set SNI to a specific string for the

Re: Use SNI with healthchecks

2018-04-23 Thread Jerome Magnin
Hi Vincent, On Mon, Apr 23, 2018 at 02:38:32PM +, GALLISSOT VINCENT wrote: > Hi all, > > > I want to use SNI with httpchk on HAProxy 1.7.10 to connect to CloudFront > distributions as backend servers. > > I saw in this mailing-list archives that SNI is not used by default even when >

Use SNI with healthchecks

2018-04-23 Thread GALLISSOT VINCENT
Hi all, I want to use SNI with httpchk on HAProxy 1.7.10 to connect to CloudFront distributions as backend servers. I saw in this mailing-list archives that SNI is not used by default even when using the ssl directive. We don't pay for SNI on that distribution, that means CloudFront doesn't