Am 2019-06-20 15:38, schrieb Lukas Tribus:
Hello,
On Thu, 20 Jun 2019 at 14:49, <rai...@ultra-secure.de> wrote:
I now used
ssl_fc_sni_reg -i host3.intern
I hope, this is also OK.
It's not.
You are already doing the right thing in the frontend, by content
switching based on the host header and not based on the SNI, so
please, don't rely on frontend SNI in your backend.
Search the mailing list archives if you want to know why that's a bad
idea.
Lukas
Hi,
I tried to read up on this but there are many examples and not all of
them seem "correct".
I've got the following config now:
frontend app_frontend
mode http
bind *:80
bind 10.200.16.10:443 ssl crt /etc/haproxy/ssl/star.theapp.intern.pem
maxconn 2000
use_backend app_api if { ssl_fc_sni_reg -i
app-api.theapp.intern }
use_backend app_admin_services if { ssl_fc_sni_reg -i
app-admin-services.theapp.intern }
use_backend app_dms_services if { ssl_fc_sni_reg -i
app-dms-services.theapp.intern }
use_backend app_external_services if { ssl_fc_sni_reg -i
app-external-services.theapp.intern }
use_backend app_bo if { ssl_fc_sni_reg -i
app-bo.theapp.intern }
use_backend app_scheduler if { ssl_fc_sni_reg -i
app-scheduler.theapp.intern }
#use_backend app_api if { sni hdr(host) -i
app-api.theapp.intern }
#use_backend app_admin_services if { sni hdr(host) -i
app-admin-services.theapp.intern }
#use_backend app_dms_services if { sni hdr(host) -i
app-dms-services.theapp.intern }
#use_backend app_external_services if { sni hdr(host) -i
app-external-services.theapp.intern }
#use_backend app_bo if { sni hdr(host) -i
app-bo.theapp.intern }
#use_backend app_scheduler if { snd hdr(host) -i
app-scheduler.theapp.intern }
capture request header User-Agent len 500
redirect scheme https code 301 if !{ ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Ssl on if { ssl_fc }
backend app_api
mode http
server PROD036 10.200.16.36:443 check check-ssl ssl verify none
force-tlsv12 maxconn 3000 cookie s1 sni hdr(app-api.theapp.intern)
check-sni app-api.theapp.intern
server PROD037 10.200.16.37:443 check check-ssl ssl verify none
force-tlsv12 maxconn 3000 cookie s2 sni hdr(app-api.theapp.intern)
check-sni app-api.theapp.intern
option httpclose
option forwardfor
option httpchk GET / HTTP/1.1\r\nHost:\
app-api.theapp.intern\r\nConnection:\ close
http-check expect string Hello
http-check disable-on-404
cookie SERVERID insert indirect nocache httponly
balance leastconn
This gets me a L7 timeout on the backend-servers.
curl-ing the URLs works without problems.
Because it's all encrypted, I have a hard time figuring out what haproxy
is actually sending to the backend.
Is there a way to enable some sort of logging on what requests are
actually made to the backend?
Best Regards
Rainer
