Forked from PiBa-NL/HAProxy SNI fallback workaround example
Created
August 22, 2013 19:04
-
-
Save blissdev/6311394 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| maxconn 300 | |
| log 192.168.0.40 local0 debug | |
| stats socket /tmp/haproxy.socket level admin | |
| gid 80 | |
| nbproc 1 | |
| chroot /var/empty | |
| daemon | |
| frontend stats | |
| bind 192.168.0.2:446 ssl crt /var/etc/stats.446.crt | |
| mode http | |
| log global | |
| option dontlognull | |
| maxconn 10 | |
| timeout client 30000 | |
| default_backend stats_http | |
| frontend mainSSLfrontend-merged | |
| bind 192.168.1.22:443 | |
| mode tcp | |
| log global | |
| option dontlognull | |
| maxconn 300 | |
| timeout client 30000 | |
| acl 0_sub1acl req_ssl_sni -i sub1.pfsense.localdomain | |
| use_backend ba_sub1_TCP_https if 0_sub1acl | |
| default_backend noSNI_https | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if { req_ssl_hello_type 1 } | |
| frontend noSNIfrontend-merged | |
| bind 127.0.0.1:10443 ssl crt /var/etc/noSNIsub1.10443.crt accept-proxy | |
| #accept-proxy | |
| reqadd HAPROXY:\ NO_SNI_FALLBACK | |
| redirect prefix http://nosnisub1.pfsense.localdomain drop-query if { hdr(host) -i sub1.pfsense.localdomain } | |
| mode http | |
| log global | |
| option dontlognull | |
| maxconn 300 | |
| timeout client 30000 | |
| acl 0_nosnisub hdr(host) -i nosnisub1.pfsense.localdomain | |
| use_backend ba_sub1_SSL_http if 0_nosnisub | |
| acl 1_SNI_ba_sub1_SSL_http hdr(host) -i sub1.pfsense.localdomain | |
| use_backend ba_sub1_SSL_http if 1_SNI_ba_sub1_SSL_http | |
| default_backend nosni_default_http | |
| backend stats_http | |
| mode http | |
| timeout connect 30000 | |
| timeout server 30000 | |
| retries 3 | |
| stats enable | |
| stats uri / | |
| stats realm haproxystats | |
| stats auth qw:as | |
| stats refresh 5s | |
| option httpchk OPTIONS / | |
| option tcpka | |
| backend noSNI_https | |
| mode tcp | |
| timeout connect 30000 | |
| timeout server 30000 | |
| retries 3 | |
| option httpchk | |
| server noSNIsrv 127.0.0.1:10443 check-ssl weight 1 send-proxy | |
| backend ba_sub1_TCP_https | |
| mode tcp | |
| timeout connect 30000 | |
| timeout server 30000 | |
| retries 3 | |
| source 0.0.0.0 usesrc clientip | |
| option httpchk OPTIONS / | |
| #option transparent | |
| server srv40_srv_443 192.168.0.40:443 check inter 10000 weight 1 check-ssl | |
| backend nosni_default_http | |
| mode http | |
| timeout connect 30000 | |
| timeout server 30000 | |
| retries 3 | |
| option httpchk OPTIONS / | |
| server localSRV 127.0.0.1:443 ssl check inter 1000 weight 1 | |
| backend ba_sub1_SSL_http | |
| mode http | |
| timeout connect 30000 | |
| timeout server 30000 | |
| retries 3 | |
| source 0.0.0.0 usesrc clientip | |
| option httpchk OPTIONS / | |
| server srv40_srv_443 192.168.0.40:443 ssl check inter 10000 weight 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
PiBa-NL | hey blissdev, just ask, after the redirect happens (after a certicate error+accept) you will need to send old browsers to a other ip/port/certificate to start serving them the correct cert.