Can i pass-through SSL with HAProxy to a vhost that shares ip with other vhosts?
I try
frontend https
bind *:443 #ssl
mode tcp
default_backend port_443
backend port_443
mode tcp
server web42 www.example.com
But i see the default webserver, not www.example.com
I could do SNI on frontend, but how to say to backend – this is for domain www.example.com?
server web1 www.example.com:443 sni str(www.example.com) verify none
doesn't work either.
To make it clear, webserver www.default.com, www.example.com, www.example.net all have same IP and Port, e.g. 10.0.1.10:443
Apache/ngix chooses the right vhost with SNI.
Problem is still not solved. Here some graphic
--------------------
|(All 10.0.1.10:443)
www2.example.com:443 -> HaProxy ->|www.default.com <- Apache vhost default
|www.example.com
|www.example.net
--------------------
I would like to reach www.example.com (with mode tcp)
If i have private keys of www.example.com and www.example.net. Can i reach www.example.net (when user input is www.example.com) without security problems?
Best Answer
You can pass connections to whatever backend server/port you want.
But I see there is a bunch of stuff missing from your setup.
So this is from my own HAProxy setup, with which I forward https connections that must share a global IPv4 address, to backend servers which all have unique global IPv6 (and unique private IPv4).
Note that I am doing SNI inspection here, and matching on the SNI hostname to determine which backend to send the connection to.
Then I use
send-proxy-v2
which enables the PROXY protocol on the backend connection. This will let me tell the backend the IP address where the connection originated. We use this protocol becauseX-Forwarded-For
is not possible in this setup.But the PROXY protocol does require the backend server to be aware of it. To make that happen required a small change in my nginx setup, to wit:
By specifying
proxy_protocol
inlisten
andreal_ip_header
, nginx now knows to get the real IP address of the client via PROXY protocol. (And notice that I do not use it on the IPv6 listener, because I only proxy IPv4 connections via haproxy. IPv6 connections come in directly, and a proxy is not required. This is one big advantage of IPv6.)Finally, older versions of nginx spoke version 1 of the PROXY protocol, so if
send-proxy-v2
inhaproxy.cfg
doesn't work, you'll need to change it tosend-proxy
.(And if you're one of the people still using Apache, set
RemoteIPProxyProtocol on
.)