dimzon/haproxy_ssl_request_passthrough_ver2.txt

## haproxy_ssl_request_passthrough_ver2.txt
# Haproxy configuration for SSL request passthrough to different backend based on SNI read from Handshaking stage
# The Loadbalance will not decode the encrpted data but transparently transfer to the backend server in Private subnet.
# With such configuration, you can install multiply services with its own SSL certificate in backend in different EC2 instance, but only explosure to public internet with one Loadbalance IP. There is no need to install SSL certificate in Loadbalancer level.

# Ref:
#	How to support wildcard sni: https://stackoverflow.com/questions/24839318/haproxy-reverse-proxy-sni-wildcard
#	https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
#	https://stuff-things.net/2016/11/30/haproxy-sni/


#---------------------------------------------------------------------
# Proxys to the webserver backend port 443
#---------------------------------------------------------------------
frontend main_ssl
	bind :443
	mode tcp
	option tcplog

	# Wait for a client hello for at most 5 seconds
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }

	use_backend aaa_ssl if { req_ssl_sni -m end .aaa.domain.com }
	use_backend bbb_ssl if { req_ssl_sni -m end .bbb.domain.com }

	default_backend static

backend aaa_ssl
	mode tcp
	balance roundrobin
	server aaa_ssl_server x.x.x.x:443 check

backend bbb_ssl
	mode tcp
	balance roundrobin
	server bbb_ssl_server x.x.x.x:443 check
	# Haproxy configuration for SSL request passthrough to different backend based on SNI read from Handshaking stage
	# The Loadbalance will not decode the encrpted data but transparently transfer to the backend server in Private subnet.
	# With such configuration, you can install multiply services with its own SSL certificate in backend in different EC2 instance, but only explosure to public internet with one Loadbalance IP. There is no need to install SSL certificate in Loadbalancer level.

	# Ref:
	# How to support wildcard sni: https://stackoverflow.com/questions/24839318/haproxy-reverse-proxy-sni-wildcard
	# https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
	# https://stuff-things.net/2016/11/30/haproxy-sni/


	#---------------------------------------------------------------------
	# Proxys to the webserver backend port 443
	#---------------------------------------------------------------------
	frontend main_ssl
	bind :443
	mode tcp
	option tcplog

	# Wait for a client hello for at most 5 seconds
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }

	use_backend aaa_ssl if { req_ssl_sni -m end .aaa.domain.com }
	use_backend bbb_ssl if { req_ssl_sni -m end .bbb.domain.com }

	default_backend static

	backend aaa_ssl
	mode tcp
	balance roundrobin
	server aaa_ssl_server x.x.x.x:443 check

	backend bbb_ssl
	mode tcp
	balance roundrobin
	server bbb_ssl_server x.x.x.x:443 check