Ubuntu – HAproxy REQ_SSL_SNI and SSL termination

haproxysslUbuntu

I am trying to get haproxy to work with REQ_SSL_SNI and SSL termination.

Guides I have followed https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ https://stuff-things.net/2016/11/30/haproxy-sni/

Setup: HA-Proxy version 1.6.3 Ubuntu 16.04

Log generates following:

HTTP-in ~ http-in/NOSRV-1/-1/12 0 SC 0/0/0/0/0 0/0

frontend http-in
bind *:443 ssl crt /etc/haproxy/certs/
log global
reqadd X-Forwarded-Proto:\ https
mode tcp 
option tcplog
# wait up to 5 seconds from the time the tcp socket opens
# until the hello packet comes in (otherwise fallthru to the default)
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl is_site1 req_ssl_sni -i foo.foobar.com
acl is_site2 req_ssl_sni -i foobar.com
use_backend www-foo-foobar if is_site1
use_backend www-foobar if is_site2

backend www-foo-foobar
log global
mode tcp 
option tcplog
redirect scheme https if !{ ssl_fc }
server www-1 127.0.0.1:3030 check

backend www-foobar
log global
mode tcp 
option tcplog
redirect scheme https if !{ ssl_fc }
server www-1 127.0.0.1:5000 check

What am I missing?

Can someone point me in the right direction?

Best Answer

Try using ssl_fc_sni:

    acl is_site1 ssl_fc_sni foo.foobar.com
    acl is_site2 ssl_fc_sni foobar.com

Basically, when terminating/deciphering SSL, you have to use ssl_fc_sni (gets SNI from the OpenSSL API).

When passing it through via TCP mode, you have to use req_ssl_sni (parses SNI in a TCP packet).

From the docs:

ssl_fc_sni : string

This extracts the Server Name Indication TLS extension (SNI) field from an incoming connection made via an SSL/TLS transport layer and locally deciphered by haproxy. The result (when present) typically is a string matching the HTTPS host name (253 chars or less). The SSL library must have been built with support for TLS extensions enabled (check haproxy -vv).

This fetch is different from "req_ssl_sni" above in that it applies to the connection being deciphered by haproxy and not to SSL contents being blindly forwarded. See also "ssl_fc_sni_end" and "ssl_fc_sni_reg" below. This requires that the SSL library is build with support for TLS extensions enabled (check haproxy -vv).

ACL derivatives :

  • ssl_fc_sni_end : suffix match
  • ssl_fc_sni_reg : regex match

https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#7.3.4-ssl_fc_sni

Related Topic