Forked from pweil-/openssl goes to non-sni backend
Created
November 15, 2016 16:47
-
-
Save fraenki/8f0feaa2ac2ba5814e4c5f8b04aa0b03 to your computer and use it in GitHub Desktop.
haproxy sni
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global | |
user haproxy | |
group haproxy | |
daemon | |
log /dev/log local0 | |
defaults | |
timeout connect 5s | |
timeout client 30s | |
timeout server 30s | |
timeout tunnel 1h | |
log-format frontend:%f\ %b/%s\ client_ip:%Ci\ client_port:%Cp\ SSL_version:%sslv\ SSL_cypher:%sslc\ SNI:%[ssl_fc_has_sni]\ %ts | |
frontend public_ssl | |
bind :443 | |
log global | |
tcp-request inspect-delay 5s | |
tcp-request content accept if { req_ssl_hello_type 1 } | |
use_backend be_sni if { ssl_fc_has_sni } | |
use_backend be_sni if { hdr(host) -i www.example.com } | |
default_backend be_no_sni | |
#default_backend be_sni | |
########################################################################## | |
# TLS SNI | |
########################################################################## | |
backend be_sni | |
server fe_sni 127.0.0.1:10444 weight 1 send-proxy | |
frontend fe_sni | |
#terminate by matching sni header to certificates in directory | |
bind 127.0.0.1:10444 ssl crt /data/src/github.com/openshift/origin/images/router/haproxy/conf/certs accept-proxy no-sslv3 | |
default_backend openshift_default | |
########################################################################## | |
# END TLS SNI | |
########################################################################## | |
########################################################################## | |
# TLS NO SNI | |
########################################################################## | |
frontend fe_no_sni | |
bind 127.0.0.1:10443 ssl crt /data/src/github.com/openshift/origin/images/router/haproxy-base/conf/default_pub_keys.pem accept-proxy no-sslv3 | |
default_backend openshift_default | |
# backend for when sni does not exist, or ssl term needs to happen on the edge | |
backend be_no_sni | |
server fe_no_sni 127.0.0.1:10443 weight 1 send-proxy | |
########################################################################## | |
# END TLS NO SNI | |
########################################################################## | |
backend openshift_default | |
mode http | |
option forwardfor | |
option http-pretend-keepalive | |
server openshift_backend 127.0.0.1:8080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[vagrant@openshiftdev ~]$ openssl s_client -servername www.example.com -connect 10.245.1.2:443 | |
CONNECTED(00000003) | |
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-35-63-192, emailAddress = root@ip-10-35-63-192 | |
verify error:num=18:self signed certificate | |
verify return:1 | |
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-35-63-192, emailAddress = root@ip-10-35-63-192 | |
verify return:1 | |
--- | |
Certificate chain | |
0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-63-192/emailAddress=root@ip-10-35-63-192 | |
i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-63-192/emailAddress=root@ip-10-35-63-192 | |
--- | |
.... removed .... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Jan 05 17:51:31 openshiftdev.local haproxy[17807]: frontend:public_ssl be_no_sni/fe_no_sni client_ip:10.245.1.2 client_port:42285 SSL_version:- SSL_cypher:- SNI:0 -- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment