OK, that’s odd, Debian’s backport fails to load the config as per your recommendation, but head of 1.6 does… They both report 1.6.3.
However I’m still missing SNI on the health check using: server dev05 192.168.1.10:443 check ssl sni str(www.mysite.com) verify none William Roush | www.roushtech.net<http://www.roushtech.net/> From: Bryan Talbot [mailto:bryan.tal...@ijji.com] Sent: Friday, March 11, 2016 9:21 PM To: William D. Roush <william.ro...@roushtech.net> Cc: Bryan Talbot <bryan.tal...@ijji.com>; haproxy@formilux.org Subject: [PossibleSpam] Re: SNI Support for Health Check on Backend Server This passes config check for me using 1.6 HEAD btalbot-lt:haproxy-1.6$ cat haproxy.cfg global defaults timeout client 5s timeout server 5s timeout connect 5s mode http listen https bind :443 server dev05 192.168.1.10:443<http://192.168.1.10:443> check ssl sni str(prontotest.orthobanc.com<http://prontotest.orthobanc.com>) verify none btalbot-lt:haproxy-1.6$ ./haproxy -f ./haproxy.cfg -c Configuration file is valid btalbot-lt:haproxy-1.6$ ./haproxy -vv HA-Proxy version 1.6.3-079e34-67 2016/03/10 Copyright 2000-2015 Willy Tarreau <wi...@haproxy.org<mailto:wi...@haproxy.org>> Build options : TARGET = generic CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Encrypted password support via crypt(3): no Built with zlib version : 1.2.5 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built without PCRE support (using libc's regex instead) Built without Lua support Available polling systems : poll : pref=200, test result OK select : pref=150, test result OK Total: 2 (2 usable), will use poll. On Fri, Mar 11, 2016 at 5:23 PM, William D. Roush <william.ro...@roushtech.net<mailto:william.ro...@roushtech.net>> wrote: Using: "server dev05 192.168.1.10:443<http://192.168.1.10:443> check ssl sni str(www.mysite.com<http://www.mysite.com>) verify none" Proxy 'www.mysite.com<http://www.mysite.com>', server 'dev05' [/etc/haproxy/haproxy.cfg:62] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default. Using: "server dev05 192.168.1.10:443<http://192.168.1.10:443> check sni str(prontotest.orthobanc.com<http://prontotest.orthobanc.com>) ssl verify none " parsing [/etc/haproxy/haproxy.cfg:62] : 'server dev-web-06' unknown keyword 'none'. William Roush | www.roushtech.net<http://www.roushtech.net/> From: Bryan Talbot [mailto:bryan.tal...@ijji.com<mailto:bryan.tal...@ijji.com>] Sent: Friday, March 11, 2016 5:32 PM To: William D. Roush <william.ro...@roushtech.net<mailto:william.ro...@roushtech.net>> Cc: haproxy@formilux.org<mailto:haproxy@formilux.org> Subject: Re: SNI Support for Health Check on Backend Server There is a recently reported but for this. Try putting "verify none" AFTER the "sni" keyword in your server line. -Bryan On Fri, Mar 11, 2016 at 2:08 PM, William D. Roush <william.ro...@roushtech.net<mailto:william.ro...@roushtech.net>> wrote: Hey Everybody, Been struggling trying to get SNI to work with health checks, even using 1.6 and a server configuration of this: dev05 192.168.1.10:443<http://192.168.1.10:443> check ssl verify none sni str(www.mysite.com<http://www.mysite.com>) It will still not send the SNI information to the backend server during health checks. Am I missing some additional options here? Or is this unsupported in 1.6? Is this slated for 1.7? Thanks! William Roush william.ro...@roushtech.net<mailto:william.ro...@roushtech.net> http://www.roushtech.net/
