CODEWITHSUNDEEP
sslserverload-balancinghaproxy
Chris
Chris

Reputation: 58292

How to set up SSL passthrough with multiple domains with HAproxy?

How does one set up HAproxy for multiple domains, to multiple backends while passing through SSL?

Example in diagram for a better explanation:

                              backend_domain_a
domain-a.com-.            .-> 123.123.123.123
             |            |
             +-> haproxy -+
             |            |   backend_domain_b
domain-b.com-'            '-> 789.789.789.789

Note Each backend server will be issueing their own certificate. Hence the need for SSL passthrough.

I have this configuration, but doesn't work for multiple reasons (the key one being the missing port number):

frontend www
        bind *:80
        bind *:443
        option tcplog

        acl host_domain_a hdr(host) -i domain-a.com
        acl host_domain_b hdr(host) -i domain-b.com

        use_backend backend_domain_a if host_domain_a
        use_backend backend_domain_b if host_domain_b

backend backend_domain_a
        server web_a 123.123.123.123 check

backend backend_domain_b
        server web_b 789.789.789.789 check

In others words, I want Haxproxy to not terminate the SSL.

I initially wanted to do this with Nginx but apparently it can't act as a non-terminating point while reading the host details (though might be available in future versions with ssl preread)

Upvotes: 2

Views: 2075

Answers (2)

aerobrain
aerobrain

Reputation: 623

After googling around, found and tested this method and it works. I don't really understand why there is a need of inspect-delay, but it works!!

frontend https_frontend
    mode tcp
    option tcplog
    bind *:443
    acl tls req.ssl_hello_type 1
    tcp-request inspect-delay 5s
    tcp-request content accept if tls
    
    acl host_www req.ssl_sni -i example.com
    acl host_www req.ssl_sni -i www.example.com
    acl host_wiki req.ssl_sni -i wiki.example.com

    use_backend https_www if host_www
    use_backend https_wiki if host_wiki

backend https_www
    mode tcp
    option tcplog
    option ssl-hello-chk
    server www 192.168.1.10:443

Full article here: https://az.id.au/ops/haproxy-http-and-https-multiple-domains-and-backends/

Upvotes: 1

Chris
Chris

Reputation: 58292

After extensive research, couldn't find a sound way to complete this task.

I ended up using nginx to complete the requirements.

Upvotes: 0

Related Questions