Hello all!
I'm trying to convert an Apache reverse proxy setup over to using HAProxy,
but am running into issues with SNI. I followed
http://stuff-things.net/2016/11/30/haproxy-sni/ to set this up, but it's
not working, and I have not yet been able to figure out why.
HAProxy version: 1.5.4-3 installed from the EPEL repo on Centos 6 (Policy
here forbids self-compiled versions, so we are limited to only what's
available to us in EPEL)
I've narrowed down the problem to my frontend definition - if I simplify
the front-end to not do SNI, it works fine to either backend. If I add a
default_backend definition, it goes to the default backend no matter which
hostname I provide. Without the default_backend in the frontend
configuration, I get a 503 error from the proxy. So something is
definately not right with my SNI configuration, but I certainly can not
find it!
Here is a sanitized version of my frontend definition in haproxy.cfg:
frontend https-8443
bind 192.168.1.1:8443 ssl crt /etc/haproxy/certs/
use_backend site1 if { hdr(host) -i site1.domain.com }
use_backend site2 if { hdr(host) -i site2.domain.com }
We will eventually have something like 20-30 different SSL sites in this
configuration, along with some IP-based ACLs as well, but I'm not to that
point as of yet. I am simply trying to get SNI working, to direct to a
different backend depending on the hostname requested (which, according to
my reading, should be perfectly doable with haproxy.
Anybody got any ideas of what I'm doing wrong?
Thanks for your time!
Jeremy Utley
I'm trying to convert an Apache reverse proxy setup over to using HAProxy,
but am running into issues with SNI. I followed
http://stuff-things.net/2016/11/30/haproxy-sni/ to set this up, but it's
not working, and I have not yet been able to figure out why.
HAProxy version: 1.5.4-3 installed from the EPEL repo on Centos 6 (Policy
here forbids self-compiled versions, so we are limited to only what's
available to us in EPEL)
I've narrowed down the problem to my frontend definition - if I simplify
the front-end to not do SNI, it works fine to either backend. If I add a
default_backend definition, it goes to the default backend no matter which
hostname I provide. Without the default_backend in the frontend
configuration, I get a 503 error from the proxy. So something is
definately not right with my SNI configuration, but I certainly can not
find it!
Here is a sanitized version of my frontend definition in haproxy.cfg:
frontend https-8443
bind 192.168.1.1:8443 ssl crt /etc/haproxy/certs/
use_backend site1 if { hdr(host) -i site1.domain.com }
use_backend site2 if { hdr(host) -i site2.domain.com }
We will eventually have something like 20-30 different SSL sites in this
configuration, along with some IP-based ACLs as well, but I'm not to that
point as of yet. I am simply trying to get SNI working, to direct to a
different backend depending on the hostname requested (which, according to
my reading, should be perfectly doable with haproxy.
Anybody got any ideas of what I'm doing wrong?
Thanks for your time!
Jeremy Utley