> Em 12 de fev de 2019, à(s) 21:21, Norman Branitsky
> <norman.branit...@micropact.com> escreveu:
>
> Do I have to make HAProxy listen on 8443 and just do a tcp frontend/backend
> for the Manager nodes?
You can bind on another port, you can also bind on another IP address (change
*:443 to some.ip.addr:443). But if you want or you need to share the same IP
and port, a possible configuration is to create a tcp mode frontend which
inspect sni extension and make a triage: manager hostname? Use a tcp mode
backend and the manager nodes as servers - no data would be changed. This blog
post[1] is of some help. In the triage, if the request isn't to a maanger node,
use another tcp backend whose only server is a unix socket. Use also
send-proxy-v2 in the server declaration. Create another http mode frontend,
binding that unix socket and accept-proxy keyword to do the ssl offload of your
worker nodes. hth.
[1]
https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/