PiBa-NL/HAProxy SNI fallback workaround example

## HAProxy SNI fallback workaround example
global
	maxconn			300
	log			192.168.0.40	local0	debug
	stats socket /tmp/haproxy.socket level admin
	gid			80
	nbproc			1
	chroot			/var/empty
	daemon
	#
	# Example configuration for HAProxy 1.5-dev19 for using SNI
	# While still trying to support mobile/older browsers/applications that don't support SNI.
	#
	# 3 domain names/certificates used, with different methods of forwarding/certificate handling
	#
	# Im using transparent proxy "source 0.0.0.0 usesrc clientip", so the real client-ip is presented to the webserver.
	# As for when transferring SSL in TCP mode its not possible to modify headers for adding X-Forwarded-For
	#
	# ## sub1.pfsense.localdomain ##
	# - for SNI capable browsers is this is forwarded 1on1 to the right backend
	# - when no SNI is available(IE on XP), traffic is forwarded to a SSL-offloading frontend, this should be configured with a wildcard certificate
	#
	# ## sub2.pfsense.localdomain ##
	# - the browser is redirected to a different port so the proper certificate can be presented by the backend.
	# - a wildcard certificate should be used, because when no SNI is available its not possible to send the proper certificate.
	# - after the redirect no SSLoffloading done
	# - the site must 'support' requests on a different port then '443'.. as an alternative you could redirect to a different domainname/IP if available
	#
	# ## sub3.pfsense.localdomain ##
	# - uses SSLoffloading
	# - using SNI the proper certificate will be presented
	# - the default (wildcard)certificate is send to older browsers.
	# - headers like X-Forwarded-For can be inserted
	#
	#
	# Provided to you by PiBa-NL.
	# Not intended for production purposes.. So use at your own risk. :)
	#

defaults
	timeout connect		30000
	timeout server		30000
	retries			3

frontend stats
	bind			192.168.0.2:446 ssl  crt /var/etc/stats.446.crt
	mode			http
	log			global
	option			dontlognull
	maxconn			10
	timeout client		30000
	default_backend		stats_http

frontend mainSSLfrontend-merged
	bind			192.168.1.22:443
	mode			tcp
	log			global
	option			dontlognull
	maxconn			300
	timeout client		30000
	acl			0_sub1acl	req_ssl_sni -i sub1.pfsense.localdomain
	use_backend		ba_sub1_TCP_https if 0_sub1acl
	default_backend		noSNI_https
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }

frontend noSNIfrontend-merged
	bind			127.0.0.1:10443 ssl  crt /var/etc/noSNIfrontend.10443.crt crt /var/etc/noSNIsub1.10443.crt crt /var/etc/noSNIsub2.10443.crt crt /var/etc/noSNIsub3.10443.crt accept-proxy
	reqadd HAPROXY:\ NO_SNI_FALLBACK
	reqadd SNI_available:\ YES if { ssl_fc_has_sni }
	option forwardfor
	redirect prefix https://sub2.pfsense.localdomain:2443 if { hdr(host) -i sub2.pfsense.localdomain }
	mode			http
	log			global
	option			dontlognull
	option			httpclose
	maxconn			300
	timeout client		30000
	acl			0_SNI_ba_sub1_SSL_http	hdr(host) -i sub1.pfsense.localdomain
	use_backend		ba_sub1_SSL_http if 0_SNI_ba_sub1_SSL_http
	acl			1_SNI_ba_sub2_SSL_http	hdr(host) -i sub2.pfsense.localdomain
	use_backend		ba_sub2_SSL_http if 1_SNI_ba_sub2_SSL_http
	acl			2_SNI_ba_sub3_SSL_http	hdr(host) -i sub3.pfsense.localdomain
	use_backend		ba_sub3_SSL_http if 2_SNI_ba_sub3_SSL_http
	default_backend		nosni_default_http

frontend XPnoSub1
	bind			192.168.1.22:1443
	mode			tcp
	log			global
	option			dontlognull
	maxconn			300
	timeout client		30000
	default_backend		ba_sub1_TCP_https

frontend XPnoSub2
	bind			192.168.1.22:2443
	mode			tcp
	log			global
	option			dontlognull
	maxconn			300
	timeout client		30000
	default_backend		ba_sub2_TCP_https

backend stats_http
	mode			http
	stats			enable
	stats			uri /
	stats			realm haproxystats
	stats			auth AdminUser:SecretPass
	stats			refresh 5s
	option			httpchk OPTIONS /

backend noSNI_https
	mode			tcp
	option			httpchk
	server			noSNIsrv 127.0.0.1:10443 check-ssl    weight 1 send-proxy

backend nosni_default_http
	mode			http
	option			httpchk OPTIONS /
	server			localSRV 127.0.0.1:443 ssl  check inter 1000  weight 1

backend ba_sub1_TCP_https
	mode			tcp
	source 0.0.0.0 usesrc clientip
	option			httpchk OPTIONS /
	server			srv40_srv_443 192.168.0.40:443  check inter 10000  weight 1 check-ssl

backend ba_sub1_SSL_http
	mode			http
	source 0.0.0.0 usesrc clientip
	option			httpchk OPTIONS /
	server			srv40_srv_443 192.168.0.40:443 ssl  check inter 10000  weight 1

backend ba_sub2_TCP_https
	mode			tcp
	source 0.0.0.0 usesrc clientip
	option			httpchk OPTIONS /
	server			srv40_srv_444 192.168.0.40:444  check inter 10000  weight 1 check-ssl

backend ba_sub2_SSL_http
	mode			http
	source 0.0.0.0 usesrc clientip
	option			httpchk OPTIONS /
	server			srv40_srv_444 192.168.0.40:444 ssl  check inter 10000  weight 1

backend ba_sub3_SSL_http
	mode			http
	source 0.0.0.0 usesrc clientip
	option			httpchk OPTIONS /
	server			srv40_srv_445 192.168.0.40:442 ssl  check inter 10000  weight 1
	global
	maxconn 300
	log 192.168.0.40 local0 debug
	stats socket /tmp/haproxy.socket level admin
	gid 80
	nbproc 1
	chroot /var/empty
	daemon
	#
	# Example configuration for HAProxy 1.5-dev19 for using SNI
	# While still trying to support mobile/older browsers/applications that don't support SNI.
	#
	# 3 domain names/certificates used, with different methods of forwarding/certificate handling
	#
	# Im using transparent proxy "source 0.0.0.0 usesrc clientip", so the real client-ip is presented to the webserver.
	# As for when transferring SSL in TCP mode its not possible to modify headers for adding X-Forwarded-For
	#
	# ## sub1.pfsense.localdomain ##
	# - for SNI capable browsers is this is forwarded 1on1 to the right backend
	# - when no SNI is available(IE on XP), traffic is forwarded to a SSL-offloading frontend, this should be configured with a wildcard certificate
	#
	# ## sub2.pfsense.localdomain ##
	# - the browser is redirected to a different port so the proper certificate can be presented by the backend.
	# - a wildcard certificate should be used, because when no SNI is available its not possible to send the proper certificate.
	# - after the redirect no SSLoffloading done
	# - the site must 'support' requests on a different port then '443'.. as an alternative you could redirect to a different domainname/IP if available
	#
	# ## sub3.pfsense.localdomain ##
	# - uses SSLoffloading
	# - using SNI the proper certificate will be presented
	# - the default (wildcard)certificate is send to older browsers.
	# - headers like X-Forwarded-For can be inserted
	#
	#
	# Provided to you by PiBa-NL.
	# Not intended for production purposes.. So use at your own risk. :)
	#

	defaults
	timeout connect 30000
	timeout server 30000
	retries 3

	frontend stats
	bind 192.168.0.2:446 ssl crt /var/etc/stats.446.crt
	mode http
	log global
	option dontlognull
	maxconn 10
	timeout client 30000
	default_backend stats_http

	frontend mainSSLfrontend-merged
	bind 192.168.1.22:443
	mode tcp
	log global
	option dontlognull
	maxconn 300
	timeout client 30000
	acl 0_sub1acl req_ssl_sni -i sub1.pfsense.localdomain
	use_backend ba_sub1_TCP_https if 0_sub1acl
	default_backend noSNI_https
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }

	frontend noSNIfrontend-merged
	bind 127.0.0.1:10443 ssl crt /var/etc/noSNIfrontend.10443.crt crt /var/etc/noSNIsub1.10443.crt crt /var/etc/noSNIsub2.10443.crt crt /var/etc/noSNIsub3.10443.crt accept-proxy
	reqadd HAPROXY:\ NO_SNI_FALLBACK
	reqadd SNI_available:\ YES if { ssl_fc_has_sni }
	option forwardfor
	redirect prefix https://sub2.pfsense.localdomain:2443 if { hdr(host) -i sub2.pfsense.localdomain }
	mode http
	log global
	option dontlognull
	option httpclose
	maxconn 300
	timeout client 30000
	acl 0_SNI_ba_sub1_SSL_http hdr(host) -i sub1.pfsense.localdomain
	use_backend ba_sub1_SSL_http if 0_SNI_ba_sub1_SSL_http
	acl 1_SNI_ba_sub2_SSL_http hdr(host) -i sub2.pfsense.localdomain
	use_backend ba_sub2_SSL_http if 1_SNI_ba_sub2_SSL_http
	acl 2_SNI_ba_sub3_SSL_http hdr(host) -i sub3.pfsense.localdomain
	use_backend ba_sub3_SSL_http if 2_SNI_ba_sub3_SSL_http
	default_backend nosni_default_http

	frontend XPnoSub1
	bind 192.168.1.22:1443
	mode tcp
	log global
	option dontlognull
	maxconn 300
	timeout client 30000
	default_backend ba_sub1_TCP_https

	frontend XPnoSub2
	bind 192.168.1.22:2443
	mode tcp
	log global
	option dontlognull
	maxconn 300
	timeout client 30000
	default_backend ba_sub2_TCP_https

	backend stats_http
	mode http
	stats enable
	stats uri /
	stats realm haproxystats
	stats auth AdminUser:SecretPass
	stats refresh 5s
	option httpchk OPTIONS /

	backend noSNI_https
	mode tcp
	option httpchk
	server noSNIsrv 127.0.0.1:10443 check-ssl weight 1 send-proxy

	backend nosni_default_http
	mode http
	option httpchk OPTIONS /
	server localSRV 127.0.0.1:443 ssl check inter 1000 weight 1

	backend ba_sub1_TCP_https
	mode tcp
	source 0.0.0.0 usesrc clientip
	option httpchk OPTIONS /
	server srv40_srv_443 192.168.0.40:443 check inter 10000 weight 1 check-ssl

	backend ba_sub1_SSL_http
	mode http
	source 0.0.0.0 usesrc clientip
	option httpchk OPTIONS /
	server srv40_srv_443 192.168.0.40:443 ssl check inter 10000 weight 1

	backend ba_sub2_TCP_https
	mode tcp
	source 0.0.0.0 usesrc clientip
	option httpchk OPTIONS /
	server srv40_srv_444 192.168.0.40:444 check inter 10000 weight 1 check-ssl

	backend ba_sub2_SSL_http
	mode http
	source 0.0.0.0 usesrc clientip
	option httpchk OPTIONS /
	server srv40_srv_444 192.168.0.40:444 ssl check inter 10000 weight 1

	backend ba_sub3_SSL_http
	mode http
	source 0.0.0.0 usesrc clientip
	option httpchk OPTIONS /
	server srv40_srv_445 192.168.0.40:442 ssl check inter 10000 weight 1