User Tools
docu:csheet:syadm:web:server:haproxy_sni
This is an old revision of the document!
Route traffic via the ssl_sni header
Routing HTTPS traffic via the ssl_sni tcp packet header is a way to balance and create virtual hosts pointing directly to their tcp port, so it allows to leave SSL offloading work to the backend, and more useful stuff.
global
ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
tune.ssl.default-dh-param 2048
defaults
log 127.0.0.1 local0 notice
timeout connect 3500
timeout queue 11000
timeout tarpit 12000
timeout client 30000
timeout http-request 40000
timeout http-keep-alive 5000
timeout server 40000
timeout check 7000
option tcplog
mode tcp
frontend ssl-sni-router
bind *:443 v4v6
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl a_somesite req.ssl_sni -i somesite.net
use_backend somesite if a_somesite
default_backend adefaultsite
backend adefaultsite
server def1 127.0.0.1:1443
backend somesite
server some1 127.0.0.1:1447
Check out https://coolaj86.com/articles/adventures-in-haproxy-tcp-tls-https-ssh-openvpn/ for additional info maybe?
docu/csheet/syadm/web/server/haproxy_sni.1582044753.txt.gz · Last modified: 2020/02/18 16:52 by admin
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
