I'm using a MikroTik router with SSTP, and I have a Fedora server running httpd with HTTP and HTTPS, but I only have a single IPv4 address from my ISP.
I currently have SSTP working on port 444, but I need to move it to port 443 to bypass the Great Firewall (recently the Chinese government started blocking PPTP so I want to hide fully on port 443).
I have found documents about SNI load balancing for HAproxy but I haven't got it working yet
e.g.
https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
Here is my setup (edited 5th July 2018 22:20 CET)
frontend main 192.168.0.3:443 ssl ca-cert /etc/pki/tls/certs/sstp.crt
use_backend sstp if { ssl_fc_sni sstp.mydoamin.com }
use_backend websites if { ssl_fc_sni www.mydomain.com }
default_backend websites
backend websites
mode tcp
balance roundrobin
server www 127.0.0.1:443 check
backend sstp
mode tcp
balance roundrobin
server router 192.168.0.1:444 ca-cert /etc/pki/tls/certs/sstp.crt
After editing the backend to include ca-cert I can get sstp to connect when I change the default_backend to sstp
haproxy -d doesn't give me much debug info. I'm not familiar enough with the syntax to get SNI working, but I'm making progress …
Just tried the exact syntax from the example, and that doesn't work either
frontend main 192.168.0.3:443 ssl ca-cert /etc/pki/tls/certs/sstp.crt
use_backend sstp if { ssl_fc_sni sstp.example.com }
acl application_1 req_ssl_sni -i sstp.example.com
use_backend sstp if application_1
default_backend websites
Best Answer
Finally cracked it. This is the solution:
The only problem here is that using the public IP doesn't work.
Edited 6th July 2018 13:00 CET to change the req_ssl_sni from matching my domainnames to checking simply for the presence of SNI
Documentation for the logic (aka access control list) is found here https://www.haproxy.com/de/documentation/hapee/1-7r1/traffic-management/acls/