CODEWITHSUNDEEP
haproxy
Callahan
Callahan

Reputation: 23

HA Proxy - Failure to make ssl_fc_sni apply to SSL connections

I'm trying to use HA Proxy to forward to 2 backend servers both listening on SSL. I don't want to terminate the SSL on HA Proxt but will if this is the only solution. From what I've read though, what I'm asking for isn't impossible. In order to route to the correct server, I need to see where the request is destined for. From what I have read, ssl_fc_sni is the solution to this as the SNI header is viewable in the SSL connection. So, with that in mind, I have this:

# Default HTTP frontend
frontend http_frontend
    bind 192.168.50.3:80
    redirect scheme https code 301

# Default HTTPS frontend
frontend https_frontend
    bind 192.168.50.3:443
    mode tcp
    option tcplog
    use_backend web_server_1 if { ssl_fc_sni web_server_1.mydomain.com }
    default_backend web_server_2

# web_server_1 backend
backend web_server_1
    mode tcp
    option ssl-hello-chk
    server web_server_1 192.168.100.30:443

# Fallback backend
backend web_server_2
    mode tcp
    option ssl-hello-chk
    server web_server_2 192.168.100.29:443

This isn't working however. All requests are routed to the default backend (web_server_2) and I'm stumped as to why. There must be a way to route SSL requests via headers/SNI.

Can anyone point out what I'm missing?

Upvotes: 0

Views: 2114

Answers (2)

Terry Sun
Terry Sun

Reputation: 11

If your ssl is bind on backend, you need to add "ssl verify none" behind the backend server settings.

Try to change your config like following.

# web_server_1 backend
backend web_server_1
    mode tcp
    option ssl-hello-chk
    server web_server_1 192.168.100.30:443 ssl verify none

# Fallback backend
backend web_server_2
    mode tcp
    option ssl-hello-chk
    server web_server_2 192.168.100.29:443 ssl verify none

Upvotes: 0

Aleksandar
Aleksandar

Reputation: 2672

you will need to add tcp-request inspect-delay

# Default HTTPS frontend
frontend https_frontend
    bind 192.168.50.3:443
    mode tcp
    option tcplog

    tcp-request inspect-delay 5s
    tcp-request content capture req.ssl_sni len 25
    tcp-request content accept if { req.ssl_hello_type 1 }

    use_backend web_server_1 if { req.ssl_sni web_server_1.mydomain.com }
    default_backend web_server_2

Doc for req.ssl_sni

Upvotes: 1

Related Questions