This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Haproxy configuration for SSL request passthrough to different backend based on SNI read from Handshaking stage | |
# The Loadbalance will not decode the encrpted data but transparently transfer to the backend server in Private subnet. | |
# With such configuration, you can install multiply services with its own SSL certificate in backend in different EC2 instance, but only explosure to public internet with one Loadbalance IP. There is no need to install SSL certificate in Loadbalancer level. | |
# Ref: | |
# How to support wildcard sni: https://stackoverflow.com/questions/24839318/haproxy-reverse-proxy-sni-wildcard | |
# https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ | |
# https://stuff-things.net/2016/11/30/haproxy-sni/ | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Haproxy configuration for SSL request passthrough with ACL rules | |
# Notes: There is a problem there, the req_ssl_sni -i will check the exactly domain in the certificate, if the certificate has Alt name or SAN, such ACL role does not work | |
# Ref: | |
# https://github.com/rancher/lb-controller/blob/master/provider/haproxy/config/haproxy_template.cfg#L32 | |
# https://stackoverflow.com/questions/30393390/redirect-http-to-https-haproxy-use-ssl-passthrough | |
# https://gist.github.com/voduytuan/a919c408f61121b6dcc6 | |
#--------------------------------------------------------------------- | |
# Proxys to the webserver backend port 443 |