Differences

This shows you the differences between two versions of the page.

--- docu:csheet:syadm:web:server:haproxy_sni [2020/02/14 13:12]
admin created
+++ docu:csheet:syadm:web:server:haproxy_sni [2020/05/10 10:55] (current)
admin
@@ Line 1: / Line 1: @@
-TODO: Check out https://coolaj86.com/articles/adventures-in-haproxy-tcp-tls-https-ssh-openvpn/ and improve the documentation here
+==== Route traffic via the ssl_sni header ====
+Routing **HTTPS traffic** via the **ssl_sni tcp packet header** is a way to balance and create virtual hosts pointing directly to **their tcp port**, so it allows to leave SSL offloading work to the backend, and more useful stuff.\\
+\\
+As a result, **no http header logic** can be used, as it **operates at TCP level**.
+\\
+<code conf>
+global
+    ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
+    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
+    tune.ssl.default-dh-param 2048
+defaults
+    log /dev/log local0 info
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000
+    option tcplog
+    option logasap
+    mode tcp
+frontend ssl-sni-router
+    bind :::443 v4v6 strict-sni alpn h2,http/1.1
+    tcp-request inspect-delay 5s
+    # log the ssl sni on the haproxy
+    tcp-request content capture req.ssl_sni len 24
+    log-format "%ci:%cp [%t] %f %b -- SNI %[capture.req.hdr(0)]"
+    tcp-request content accept if { req.ssl_hello_type 1 }
+    acl a_somesite req.ssl_sni -i somesite.net
+    use_backend somesite if a_somesite
+    default_backend adefaultproxy
+backend adefaultproxy
+    server def1 127.0.0.1:1443
+backend somesite
+    server some1 127.0.0.1:1447
+</code>
+Check out https://coolaj86.com/articles/adventures-in-haproxy-tcp-tls-https-ssh-openvpn/ for additional info maybe?

NoBIGTech Wiki Técnico

User Tools

Site Tools

Differences

Page Tools