> Em 20 de fev de 2019, à(s) 03:30, Baptiste <[email protected]> escreveu:
>
> Hi Joao,
>
> I do have a question for you about your ingress controller design and the
> "chained" frontends, summarized below:
> * The first frontend is on tcp mode binding :443, inspecting sni and doing a
> triage;
> There is also a ssl-passthrough config - from the triage frontend straight
> to a tcp backend.
> * The second frontend is binding a unix socket with ca-file (tls
> authentication);
> * The last frontend is binding another unix socket, doing ssl-offload but
> without ca-file.
>
> What feature is missing in HAProxy to allow switching these 3 frontends into
> a single one?
> I understand that the ability to do ssl deciphering and ssl passthrough on a
> single bind line is one of them. Is there anything else we could improve?
> I wonder if crt-list would be useful in your case:
> https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-crt-list
>
Hi Baptiste, I’m changing the approach of the frontend creation - if the user
configuration just need one, this one will listen :443 without need to chain
another one. Regarding switch to more frontends - or at least more bind lines
in the same frontend - and creating the mode-tcp one, here are the current
rules:
* conflict on timeout client - and perhaps on other frontend configs - distinct
frontends will be created to each one
* if one really want to use a certificate that doesn’t match its domain -
crt-list sounds to solve this
* tls auth (bind with ca-file) and no tls auth - I don’t want to mix then in
the same frontend because of security - tls auth use sni, no tls auth use host
header
* ssl-passthrough as you have mentioned
~jm
