Skip to content

Instantly share code, notes, and snippets.

View hxyconan's full-sized avatar

Bob Huang hxyconan

3 followers · 8 following
View GitHub Profile
@hxyconan
hxyconan / haproxy_ssl_request_passthrough_ver2.txt
Last active April 2, 2024 07:35
Haproxy configuration for SSL request passthrough to different backend based on SNI
# Haproxy configuration for SSL request passthrough to different backend based on SNI read from Handshaking stage
# The Loadbalance will not decode the encrpted data but transparently transfer to the backend server in Private subnet.
# With such configuration, you can install multiply services with its own SSL certificate in backend in different EC2 instance, but only explosure to public internet with one Loadbalance IP. There is no need to install SSL certificate in Loadbalancer level.
# Ref:
# How to support wildcard sni: https://stackoverflow.com/questions/24839318/haproxy-reverse-proxy-sni-wildcard
# https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
# https://stuff-things.net/2016/11/30/haproxy-sni/
@hxyconan
hxyconan / haproxy_ssl_request_passthrough_ver1.txt
Last active July 13, 2018 02:02
Haproxy configuration for SSL request passthrough with ACL rules
# Haproxy configuration for SSL request passthrough with ACL rules
# Notes: There is a problem there, the req_ssl_sni -i will check the exactly domain in the certificate, if the certificate has Alt name or SAN, such ACL role does not work
# Ref:
# https://github.com/rancher/lb-controller/blob/master/provider/haproxy/config/haproxy_template.cfg#L32
# https://stackoverflow.com/questions/30393390/redirect-http-to-https-haproxy-use-ssl-passthrough
# https://gist.github.com/voduytuan/a919c408f61121b6dcc6
#---------------------------------------------------------------------
# Proxys to the webserver backend port 443