On Fri, Apr 27, 2018 at 06:39:07AM +0200, Willy Tarreau wrote:
> I think that a few operators like strcmp() and concat() should be
> implemented to cover the short-term needs.
I forgot that I finally implemented concat() after talking about it for
about a year :-) It is a good starting point to s
Hi Tim,
On Fri, Apr 27, 2018 at 12:16:15AM +0200, Tim Düsterhus wrote:
> The solution I got from "Holger Just" was:
>
> > http-request set-header X-CHECKSNI %[req.hdr(host)]==%[ssl_fc_sni] if
> > { ssl_fc_has_sni }
> > http-request deny if { ssl_fc_has_sni } ! {
> >
Hi Lukas,
On Fri, Apr 27, 2018 at 01:56:42AM +0200, Lukas Tribus wrote:
> Hello Willy,
>
>
> On 25 April 2018 at 12:16, Willy Tarreau wrote:
> >> I'm not even sure that differentiate "Host" header from SNI values is
> >> possible on softwares like Nginx or Apache.
> >
> > It should not, that wo
Hello Willy,
On 25 April 2018 at 12:16, Willy Tarreau wrote:
>> I'm not even sure that differentiate "Host" header from SNI values is
>> possible on softwares like Nginx or Apache.
>
> It should not, that would be a violation of HTTP over TLS.
I think I disagree.
This is very possible and in
Willy,
Am 25.04.2018 um 12:16 schrieb Willy Tarreau:
> On Wed, Apr 25, 2018 at 09:48:13AM +, GALLISSOT VINCENT wrote:
>> I don't see a case were one would define a different check-sni or sni values
>> from the "Host" header.
>
> It definitely must match in HTTP. *snip*
>
>> I'm not even sure
> It definitely must match in HTTP. However there's nothing making it mandatory
> to send HTTP checks, let alone a Host header field (eg: if sending a simple
> HTTP/1.0 request). However I'm noting the comment, because once we're able
> to more easily configure the HTTP checks, we could imagine th
On Wed, Apr 25, 2018 at 09:48:13AM +, GALLISSOT VINCENT wrote:
> I don't see a case were one would define a different check-sni or sni values
> from the "Host" header.
It definitely must match in HTTP. However there's nothing making it mandatory
to send HTTP checks, let alone a Host header fie
À : Jonathan Matthews
Cc : GALLISSOT VINCENT; Lukas Tribus; haproxy@formilux.org
Objet : Re: Use SNI with healthchecks
On Tue, Apr 24, 2018 at 06:50:13PM +, Jonathan Matthews wrote:
> [Top post; fight me]
Grrr
> You could either read an environment variable inherited from outside the
>
On Tue, Apr 24, 2018 at 06:50:13PM +, Jonathan Matthews wrote:
> [Top post; fight me]
Grrr
> You could either read an environment variable inherited from outside the
> process, or use "setenv" or "presetenv" as appropriate to DRY your config
> out.
>
> The fine manual describes how you w
nor for
> "check-sni" directives.
>
>
> Do you know how can I define only one time my Host header in the code
> above ?
>
>
> Thanks,
>
> Vincent
>
>
> ----------
> *De :* GALLISSOT VINCENT
> *Envoyé :* lundi 23 avril 2
ISSOT VINCENT
Envoyé : lundi 23 avril 2018 17:33
À : Lukas Tribus
Cc : haproxy@formilux.org
Objet : RE: Use SNI with healthchecks
Thank you very much for your answers,
I'll migrate to 1.8 asap to fix this.
Vincent
De : lu...@ltri.eu de la part de Lukas
Thank you very much for your answers,
I'll migrate to 1.8 asap to fix this.
Vincent
De : lu...@ltri.eu de la part de Lukas Tribus
Envoyé : lundi 23 avril 2018 17:18
À : GALLISSOT VINCENT
Cc : haproxy@formilux.org
Objet : Re: Use SNI with healthchecks
Hello Vincent,
On 23 April 2018 at 16:38, GALLISSOT VINCENT wrote:
> Does anybody know how can I use healthchecks over HTTPS with SNI support ?
You need haproxy 1.8 for this, it contains the check-sni directive
which allows to set SNI to a specific string for the health check:
http://cbonte.gi
Hi Vincent,
On Mon, Apr 23, 2018 at 02:38:32PM +, GALLISSOT VINCENT wrote:
> Hi all,
>
>
> I want to use SNI with httpchk on HAProxy 1.7.10 to connect to CloudFront
> distributions as backend servers.
>
> I saw in this mailing-list archives that SNI is not used by default even when
> usi
14 matches
Mail list logo