Hi,
I'd like to configure haproxy to listen on a single IP address and port
443. Based on the SNI information of the incoming connections, I'd like to
terminate some of the SSL connections on the proxy and send plain HTTP
requests to the backend. For other domain names, however, I'd like to
operate in TCP mode and simply cut through the connection to the backend,
wihtout decrypting the traffic.
The only solution I managed to cook up after some experimentation involves
looping back to haproxy itself:
frontend fe_https_dispatch
bind *:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend be_lets_encrypt if { req.ssl_sni -m end .acme.invalid }
default_backend be_https_loopback
backend be_lets_encrypt
mode tcp
server srv_lets_encrypt 127.0.0.1:63443
backend be_https_loopback
mode tcp
server srv_https_loopback 127.0.0.1:36427
frontend fe_https_loopback
bind *:36427 ssl crt /etc/ssl/certs/ strict-sni
mode http
use_backend be_foo if { req.ssl_sni -i foo.example.com }
use_backend be_bar if { req.ssl_sni -i bar.example.com }
[… backend definitions of be_foo and be_bar …]
This feels like a hack, and I also wonder whether this has performance
implications, since each request is parsed twice by haproxy. Is there any
way to achieve this without looping back to haproxy?
Cheers,
--
Sven
@OpenCraft
