OK, that’s odd, Debian’s backport fails to load the config as per your
recommendation, but head of 1.6 does… They both report 1.6.3.
However I’m still missing SNI on the health check using:
server dev05 192.168.1.10:443 check ssl sni str(www.mysite.com) verify none
William Roush | www.roushtech.net<http://www.roushtech.net/>
From: Bryan Talbot [mailto:bryan.tal...@ijji.com]
Sent: Friday, March 11, 2016 9:21 PM
To: William D. Roush
Cc: Bryan Talbot ; haproxy@formilux.org
Subject: [PossibleSpam] Re: SNI Support for Health Check on Backend Server
This passes config check for me using 1.6 HEAD
btalbot-lt:haproxy-1.6$ cat haproxy.cfg
global
defaults
timeout client 5s
timeout server 5s
timeout connect 5s
mode http
listen https
bind :443
server dev05 192.168.1.10:443<http://192.168.1.10:443> check ssl sni
str(prontotest.orthobanc.com<http://prontotest.orthobanc.com>) verify none
btalbot-lt:haproxy-1.6$ ./haproxy -f ./haproxy.cfg -c
Configuration file is valid
btalbot-lt:haproxy-1.6$ ./haproxy -vv
HA-Proxy version 1.6.3-079e34-67 2016/03/10
Copyright 2000-2015 Willy Tarreau mailto:wi...@haproxy.org>>
Build options :
TARGET = generic
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
OPTIONS = USE_ZLIB=1 USE_OPENSSL=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): no
Built with zlib version : 1.2.5
Compression algorithms supported : identity("identity"), deflate("deflate"),
raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built without PCRE support (using libc's regex instead)
Built without Lua support
Available polling systems :
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 2 (2 usable), will use poll.
On Fri, Mar 11, 2016 at 5:23 PM, William D. Roush
mailto:william.ro...@roushtech.net>> wrote:
Using: "server dev05 192.168.1.10:443<http://192.168.1.10:443> check ssl sni
str(www.mysite.com<http://www.mysite.com>) verify none"
Proxy 'www.mysite.com<http://www.mysite.com>', server 'dev05'
[/etc/haproxy/haproxy.cfg:62] verify is enabled by default but no CA file
specified. If you're running on a LAN where you're certain to trust the
server's certificate, please set an explicit 'verify none' statement on the
'server' line, or use 'ssl-server-verify none' in the global section to disable
server-side verifications by default.
Using: "server dev05 192.168.1.10:443<http://192.168.1.10:443> check sni
str(prontotest.orthobanc.com<http://prontotest.orthobanc.com>) ssl verify none "
parsing [/etc/haproxy/haproxy.cfg:62] : 'server dev-web-06' unknown keyword
'none'.
William Roush | www.roushtech.net<http://www.roushtech.net/>
From: Bryan Talbot [mailto:bryan.tal...@ijji.com<mailto:bryan.tal...@ijji.com>]
Sent: Friday, March 11, 2016 5:32 PM
To: William D. Roush
mailto:william.ro...@roushtech.net>>
Cc: haproxy@formilux.org<mailto:haproxy@formilux.org>
Subject: Re: SNI Support for Health Check on Backend Server
There is a recently reported but for this. Try putting "verify none" AFTER the
"sni" keyword in your server line.
-Bryan
On Fri, Mar 11, 2016 at 2:08 PM, William D. Roush
mailto:william.ro...@roushtech.net>> wrote:
Hey Everybody,
Been struggling trying to get SNI to work with health checks, even using 1.6
and a server configuration of this:
dev05 192.168.1.10:443<http://192.168.1.10:443> check ssl verify none sni
str(www.mysite.com<http://www.mysite.com>)
It will still not send the SNI information to the backend server during health
checks.
Am I missing some additional options here? Or is this unsupported in 1.6? Is
this slated for 1.7?
Thanks!
William Roush
william.ro...@roushtech.net<mailto:william.ro...@roushtech.net>
http://www.roushtech.net/
