Skip to content

Instantly share code, notes, and snippets.

@mbentley
Last active April 22, 2024 06:22
Show Gist options
  • Save mbentley/0e887c2af7863a562146ee23b121fb33 to your computer and use it in GitHub Desktop.
Save mbentley/0e887c2af7863a562146ee23b121fb33 to your computer and use it in GitHub Desktop.
HAProxy SNI Example
global
log /dev/log local0
log /dev/log local1 notice
defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 5s
timeout client 50s
timeout client-fin 50s
timeout server 50s
timeout tunnel 1h
default-server inter 15s fastinter 2s downinter 5s rise 3 fall 3
### standalone stats page
listen stats
# accessible at http://192.168.1.100/haproxy?stats
bind 0.0.0.0:8181
mode http
option httplog
stats enable
stats admin if TRUE
stats refresh 5m
### frontend servers
frontend http
bind 0.0.0.0:80
mode http
# redirects from http to https
redirect scheme https code 301 if { hdr(Host) -i site1.example.com } !{ ssl_fc }
redirect scheme https code 301 if { hdr(Host) -i site1alias.example.com } !{ ssl_fc }
redirect scheme https code 301 if { hdr(Host) -i site2.example.com } !{ ssl_fc }
redirect scheme https code 301 if { hdr(Host) -i site3.example.com } !{ ssl_fc }
redirect scheme https code 301 if { hdr(Host) -i site4.example.com } !{ ssl_fc }
# set default backend
default_backend default_http
frontend https
option tcplog
bind 0.0.0.0:443
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
## exact matches
use_backend site1_https if { req.ssl_sni -i site1.example.com or site1alias.example.com }
use_backend site2_https if { req.ssl_sni -i site2.example.com }
use_backend site3_https if { req.ssl_sni -i site3.example.com }
use_backend site4_https if { req.ssl_sni -i site4.example.com }
# set default backend
default_backend default_https
### backend servers
backend default_http
mode http
server nginx_lb_http.sock unix@/run/nginx_lb_http.sock send-proxy weight 100 check
backend default_https
mode tcp
server nginx_lb_https.sock unix@/run/nginx_lb_https.sock send-proxy weight 100 check
backend site1_https
mode tcp
option ssl-hello-chk
server server1:443 192.168.1.101:443 weight 100 check
backend site2_https
mode tcp
option ssl-hello-chk
server server2:443 192.168.1.102:443 weight 100 check
backend site3_https
mode tcp
option ssl-hello-chk
server server3:443 192.168.1.103:443 weight 100 check
backend site4_https
mode tcp
option ssl-hello-chk
server server4:443 192.168.1.104:443 weight 100 check
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment