Last active
April 2, 2024 07:35
-
-
Save hxyconan/a35072bc64db8cb0a2bbd4b0681c2d2f to your computer and use it in GitHub Desktop.
Haproxy configuration for SSL request passthrough to different backend based on SNI
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Haproxy configuration for SSL request passthrough to different backend based on SNI read from Handshaking stage | |
| # The Loadbalance will not decode the encrpted data but transparently transfer to the backend server in Private subnet. | |
| # With such configuration, you can install multiply services with its own SSL certificate in backend in different EC2 instance, but only explosure to public internet with one Loadbalance IP. There is no need to install SSL certificate in Loadbalancer level. | |
| # Ref: | |
| # How to support wildcard sni: https://stackoverflow.com/questions/24839318/haproxy-reverse-proxy-sni-wildcard | |
| # https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ | |
| # https://stuff-things.net/2016/11/30/haproxy-sni/ | |
| #--------------------------------------------------------------------- | |
| # Proxys to the webserver backend port 443 | |
| #--------------------------------------------------------------------- | |
| frontend main_ssl | |
| bind :443 | |
| mode tcp | |
| option tcplog | |
| # Wait for a client hello for at most 5 seconds | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if { req_ssl_hello_type 1 } | |
| use_backend aaa_ssl if { req_ssl_sni -m end .aaa.domain.com } | |
| use_backend bbb_ssl if { req_ssl_sni -m end .bbb.domain.com } | |
| default_backend static | |
| backend aaa_ssl | |
| mode tcp | |
| balance roundrobin | |
| server aaa_ssl_server x.x.x.x:443 check | |
| backend bbb_ssl | |
| mode tcp | |
| balance roundrobin | |
| server bbb_ssl_server x.x.x.x:443 check |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
global
log 127.0.0.1 local2
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 10
timeout http-request 10s
timeout queue 2m
timeout connect 10s
timeout client 2m
timeout server 2m
timeout http-keep-alive 30s
timeout check 50s
maxconn 3000
listen ingress
bind *:80
bind *:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend prod if { req_ssl_sni -i oauth-openshift.apps.ocp4.prod.com api.ocp4.prod.com console-openshift-console.apps.ocp4.prod.com }
use_backend dr if { req_ssl_sni -i oauth-openshift.apps.ocp4.dr.com api.ocp4.dr.com console-openshift-console.apps.ocp4.dr.com }
default_backend prod
backend prod
mode tcp
balance roundrobin
server cms 192.168.122.52:443 check # worker node IP
server cms 192.168.122.53:443 check # worker node IP
server cms 192.168.122.54:443 check# worker node IP
backend dr
mode tcp
balance roundrobin
server cms 192.168.122.62:443 check # worker node IP
server cms 192.168.122.63:443 check # worker node IP
server cms 192.168.122.64:443 check # worker node IP
Above configuration is working fine