I need to serve several applications over https using one external ip address.
The ssl certificates should not be managed on the reverse proxy. They are installed on the application servers.
Can a reverse proxy be configured to use SNI and pass ssl through for termination at the endpoint?
Is this possible using something like Nginx or Apache? What does the configuration look like?
Best Answer
This IS possible with Haproxy. You can setup a TCP proxy and extract the SNI and do routing based on the SNI. Here's an example:
It is essential to delay the request until you get the SSL hello, otherwise haproxy will try to make a connection before receiving the SNI header.
I am using servers with weight 0 because, in my current configuration, I only have one server running for each SNI and I don't want them to receive random requests. You can probably find better ways to play with this.
I hope this helps.