Score:0

HAPROXY SNI SSL pass through or termination

cn flag

I would like to set up HAProxy to terminate SSL or pass through connection depends from hostname, exposing only one public IP address. For example

Internet -> domain web1.example.com (10.10.10.1) HAproxy SSL termination -> Backend (10.10.10.10)

Internet -> domain web2.example.com (10.10.10.1) HAproxy Pass through -> Backend (10.10.10.20)

I would like to have like that to allow possibility mTLS for web2.example.com

Is it possible using only one public IP?

Thanks.

Score:0
ar flag

Try something like this. Be careful, I did not check it =)

frontend front_tcp
    bind *:443
    mode tcp

    acl host_web2 req_ssl_sni -i web2.example.com
    use_backend back_web2 if host_web2

    default_backend back_tcp_to_http

    backend back_tcp_to_http
        server haproxy-http 127.0.0.1:8443

frontend front_http
    mode http
    bind 127.0.0.1:8443 ssl crt /etc/ssl/mycert.pem

    acl host_web1 hdr(host) -i web1.example.com
    use_backend back_web1 if host_web1

backend back_web1
    mode http
    server web1 10.10.10.10:80

backend back_web2
    mode tcp
    server web2 10.10.10.20:443
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.