Hello Rainer,
On Tue, 25 Jun 2019 at 12:53, <rai...@ultra-secure.de> wrote:
> Hi,
>
> I tried to read up on this but there are many examples and not all of
> them seem "correct".
It's simple: do not content-switch based on SNI. Use the host header
instead. That's it.
> use_backend app_api if { ssl_fc_sni_reg -i
> app-api.theapp.intern }
> use_backend app_admin_services if { ssl_fc_sni_reg -i
> app-admin-services.theapp.intern }
> use_backend app_dms_services if { ssl_fc_sni_reg -i
> app-dms-services.theapp.intern }
> use_backend app_external_services if { ssl_fc_sni_reg -i
> app-external-services.theapp.intern }
> use_backend app_bo if { ssl_fc_sni_reg -i
> app-bo.theapp.intern }
> use_backend app_scheduler if { ssl_fc_sni_reg -i
> app-scheduler.theapp.intern }
> #use_backend app_api if { sni hdr(host) -i
> app-api.theapp.intern }
> #use_backend app_admin_services if { sni hdr(host) -i
> app-admin-services.theapp.intern }
> #use_backend app_dms_services if { sni hdr(host) -i
> app-dms-services.theapp.intern }
> #use_backend app_external_services if { sni hdr(host) -i
> app-external-services.theapp.intern }
> #use_backend app_bo if { sni hdr(host) -i
> app-bo.theapp.intern }
> #use_backend app_scheduler if { snd hdr(host) -i
> app-scheduler.theapp.intern }
Use the host header and not SNI:
if { hdr(host) -i app-scheduler.theapp.intern }
> backend app_api
> mode http
> server PROD036 10.200.16.36:443 check check-ssl ssl verify none
> force-tlsv12 maxconn 3000 cookie s1 sni hdr(app-api.theapp.intern)
> check-sni app-api.theapp.intern
> server PROD037 10.200.16.37:443 check check-ssl ssl verify none
> force-tlsv12 maxconn 3000 cookie s2 sni hdr(app-api.theapp.intern)
> check-sni app-api.theapp.intern
> option httpclose
> option forwardfor
> option httpchk GET / HTTP/1.1\r\nHost:\
> app-api.theapp.intern\r\nConnection:\ close
> http-check expect string Hello
> http-check disable-on-404
> cookie SERVERID insert indirect nocache httponly
> balance leastconn
>
>
> This gets me a L7 timeout on the backend-servers.
Yes, because you are trying to fill the SNI value with the *HTTP
header* app-api.theapp.intern, which of course, does not exist.
Like I said, either use a static string with the str keyword:
str(app-api.theapp.intern)
or fill it based on what you see in the host header:
hdr(host)
Notice that the 3 letter prefix is not the same. If you want to
specify a string, use str. If you want to refer to a HTTP header, use
hdr.
> curl-ing the URLs works without problems.
> Because it's all encrypted, I have a hard time figuring out what haproxy
> is actually sending to the backend.
>
> Is there a way to enable some sort of logging on what requests are
> actually made to the backend?
If you don't trust the configuration, just look at the client hello
from a traffic capture. SNI is not encrypted.
Regards,
Lukas
