Differences

This shows you the differences between two versions of the page.

--- docu:csheet:syadm:web:server:haproxy_sni [2020/02/18 16:51] – admin
+++ docu:csheet:syadm:web:server:haproxy_sni [2020/05/10 10:55] (current) – admin
@@ Line 1: / Line 1: @@
 ==== Route traffic via the ssl_sni header ====
+Routing **HTTPS traffic** via the **ssl_sni tcp packet header** is a way to balance and create virtual hosts pointing directly to **their tcp port**, so it allows to leave SSL offloading work to the backend, and more useful stuff.\\
 \\
+As a result, **no http header logic** can be used, as it **operates at TCP level**.
+\\
 <code conf>
 global
@@ Line 9: / Line 13: @@
 defaults
-    log 127.0.0.1 local0 notice
+    log /dev/log local0 info
-    timeout connect         3500
+    timeout connect 5000
-    timeout queue           11000
+    timeout client  50000
-    timeout tarpit          12000
+    timeout server  50000
-    timeout client          30000
-    timeout http-request    40000
-    timeout http-keep-alive 5000
-    timeout server          40000
-    timeout check           7000
     option tcplog
+    option logasap
     mode tcp
 frontend ssl-sni-router
-    bind *:443 v4v6
+    bind :::443 v4v6 strict-sni alpn h2,http/1.1
     tcp-request inspect-delay 5s
+    # log the ssl sni on the haproxy
+    tcp-request content capture req.ssl_sni len 24
+    log-format "%ci:%cp [%t] %f %b -- SNI %[capture.req.hdr(0)]"
     tcp-request content accept if { req.ssl_hello_type 1 }
     acl a_somesite req.ssl_sni -i somesite.net
     use_backend somesite if a_somesite
-    default_backend adefaultsite
+    default_backend adefaultproxy
-backend adefaultsite
+backend adefaultproxy
     server def1 127.0.0.1:1443
 backend somesite

NoBIGTech Wiki Técnico

User Tools

Site Tools

Differences

Page Tools