Last active
September 27, 2020 14:08
-
-
Save meineerde/b7f5ad6e0d25bf1b2cb6d5d4ca20e1e5 to your computer and use it in GitHub Desktop.
Build a dynamic SNI value to use in a HAProxy backend connection over SSL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend foo | |
| bind :443 ssl crt /path/to/certs | |
| # Ensure we have a clean state to start with | |
| http-request del-header X-SERVER-SNI | |
| # Set the concatenated value of the SNI value to a temporary header | |
| http-request set-header X-SERVER-SNI haproxy.%[ssl_fc_sni] if { ssl_fc_sni -m found } | |
| # Set the value of the header to a transaction-level variable | |
| http-request set-var txn.fc_sni hdr(X-SERVER-SNI) if { hdr(X-SERVER-SNI) -m found } | |
| # Delete the header again to cleanup after us | |
| http-request del-header X-SERVER-SNI | |
| use_backend servers | |
| backend servers | |
| # Use the variable's value in the backend connection | |
| server foo ssl sni var(txn.fc_sni) | |
| # TODO: figure out what happens if the client does not send an SNI header at | |
| # all or if it sends an invalid one. You should do something sensible on both | |
| # cases :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In v2 (at least) it should apparently be
http-request set-var(txn.fc_sni) hdr(X-SERVER-SNI) if { hdr(X-SERVER-SNI) -m found }