Skip to content

Instantly share code, notes, and snippets.

@pweil-
Last active November 15, 2016 16:47
Show Gist options
  • Save pweil-/cbcce013f74db2cfa1ce to your computer and use it in GitHub Desktop.
Save pweil-/cbcce013f74db2cfa1ce to your computer and use it in GitHub Desktop.
haproxy sni
global
user haproxy
group haproxy
daemon
log /dev/log local0
defaults
timeout connect 5s
timeout client 30s
timeout server 30s
timeout tunnel 1h
log-format frontend:%f\ %b/%s\ client_ip:%Ci\ client_port:%Cp\ SSL_version:%sslv\ SSL_cypher:%sslc\ SNI:%[ssl_fc_has_sni]\ %ts
frontend public_ssl
bind :443
log global
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend be_sni if { ssl_fc_has_sni }
use_backend be_sni if { hdr(host) -i www.example.com }
default_backend be_no_sni
#default_backend be_sni
##########################################################################
# TLS SNI
##########################################################################
backend be_sni
server fe_sni 127.0.0.1:10444 weight 1 send-proxy
frontend fe_sni
#terminate by matching sni header to certificates in directory
bind 127.0.0.1:10444 ssl crt /data/src/github.com/openshift/origin/images/router/haproxy/conf/certs accept-proxy no-sslv3
default_backend openshift_default
##########################################################################
# END TLS SNI
##########################################################################
##########################################################################
# TLS NO SNI
##########################################################################
frontend fe_no_sni
bind 127.0.0.1:10443 ssl crt /data/src/github.com/openshift/origin/images/router/haproxy-base/conf/default_pub_keys.pem accept-proxy no-sslv3
default_backend openshift_default
# backend for when sni does not exist, or ssl term needs to happen on the edge
backend be_no_sni
server fe_no_sni 127.0.0.1:10443 weight 1 send-proxy
##########################################################################
# END TLS NO SNI
##########################################################################
backend openshift_default
mode http
option forwardfor
option http-pretend-keepalive
server openshift_backend 127.0.0.1:8080
[vagrant@openshiftdev ~]$ openssl s_client -servername www.example.com -connect 10.245.1.2:443
CONNECTED(00000003)
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-35-63-192, emailAddress = root@ip-10-35-63-192
verify error:num=18:self signed certificate
verify return:1
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-35-63-192, emailAddress = root@ip-10-35-63-192
verify return:1
---
Certificate chain
0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-63-192/emailAddress=root@ip-10-35-63-192
i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-63-192/emailAddress=root@ip-10-35-63-192
---
.... removed ....
Jan 05 17:51:31 openshiftdev.local haproxy[17807]: frontend:public_ssl be_no_sni/fe_no_sni client_ip:10.245.1.2 client_port:42285 SSL_version:- SSL_cypher:- SNI:0 --
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment