Hi.
On 30/07/2018 16:39, Lukas Tribus wrote:
On Mon, 30 Jul 2018 at 13:30, Aleksandar Lazic wrote:
Hi.
I have the following Setup.
APP -> Internal Haproxy -(HTTPS)-> external HAProxy -> APP
The external HAProxy is configured with multiple TLS Vhost.
Never use SNI for Vhosting. It should work with the host header only.
SNI should only be used for certificate selection, otherwise
overlapping certificates will cause wrong forwarding decisions.
The openshift router, based on haproxy 1.8, looks for the sni hostname
for routing.
https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template#L198-L209
Due to this fact we *must* set the ssl hostname
I assume that when I add `server sni appinternal.domain.com` to
the server line will be set the hostname field in the TLS session to
this value.
No, the sni keyword expects a fetch expression.
Set it to the host header for example:
sni req.hdr(host)
Or to a static string:
sni str(www.example.com)
When I take a look into the code I see this line.
http://git.haproxy.org/?p=haproxy-1.8.git;a=blob;f=src/backend.c;hb=ada31afbc1e9095d494973cad91a4e507c4c1d9b#l1255
ssl_sock_set_servername(srv_conn, smp->data.u.str.str);
and the implementation of this function is here
http://git.haproxy.org/?p=haproxy-1.8.git;a=blob;f=src/ssl_sock.c;hb=ada31afbc1e9095d494973cad91a4e507c4c1d9b#l5922
The blocks begins here.
http://git.haproxy.org/?p=haproxy-1.8.git;a=blob;f=src/backend.c;hb=ada31afbc1e9095d494973cad91a4e507c4c1d9b#l1236
As far as I understood this block and I'm not sure that I have it
understood right the fetch sample checks for the string, as you have
written, AND SET the hostname into the SSL/TLS header for SNI.
Now after I looked into the code and read the doc again it's clear now
for me.
This options set's
cite from doc
the host name sent in the SNI TLS extension to the server.
Please apologise for the rush and my stupidity.
cheers,
lukas
Best greetings
aleks