pweil- · November 15, 2016 16:47
diff --git a/gistfile1.txt b/gistfile1.txt
 global
  user haproxy
  group haproxy
  daemon
  log /dev/log local0

 defaults
  timeout connect 5s
  timeout client 30s
  timeout server 30s
  timeout tunnel 1h
  log-format frontend:%f\ %b/%s\ client_ip:%Ci\ client_port:%Cp\ SSL_version:%sslv\ SSL_cypher:%sslc\ SNI:%[ssl_fc_has_sni]\ %ts

 frontend public_ssl
  bind :443
  log global
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }

  use_backend be_sni if { ssl_fc_has_sni }
  use_backend be_sni if { hdr(host) -i www.example.com }
  default_backend be_no_sni
  #default_backend be_sni

 ##########################################################################
 # TLS SNI
 ##########################################################################
 backend be_sni
  server fe_sni 127.0.0.1:10444 weight 1 send-proxy

 frontend fe_sni
  #terminate by matching sni header to certificates in directory
  bind 127.0.0.1:10444 ssl crt /data/src/github.com/openshift/origin/images/router/haproxy/conf/certs accept-proxy no-sslv3
  default_backend openshift_default

 ##########################################################################
 # END TLS SNI
 ##########################################################################

 ##########################################################################
 # TLS NO SNI
 ##########################################################################
 frontend fe_no_sni
  bind 127.0.0.1:10443 ssl crt /data/src/github.com/openshift/origin/images/router/haproxy-base/conf/default_pub_keys.pem accept-proxy no-sslv3
  default_backend openshift_default

 # backend for when sni does not exist, or ssl term needs to happen on the edge
 backend be_no_sni
  server fe_no_sni 127.0.0.1:10443 weight 1 send-proxy

 ##########################################################################
 # END TLS NO SNI
 ##########################################################################
 backend openshift_default
  mode http
  option forwardfor
  option http-pretend-keepalive
  server openshift_backend 127.0.0.1:8080
diff --git a/openssl goes to non-sni backend b/openssl goes to non-sni backend
 [vagrant@openshiftdev ~]$ openssl s_client -servername www.example.com -connect 10.245.1.2:443
 CONNECTED(00000003)
 depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-35-63-192, emailAddress = root@ip-10-35-63-192
 verify error:num=18:self signed certificate
 verify return:1
 depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-35-63-192, emailAddress = root@ip-10-35-63-192
 verify return:1
 ---
 Certificate chain
 0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-63-192/emailAddress=root@ip-10-35-63-192
   i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-63-192/emailAddress=root@ip-10-35-63-192
 ---
 .... removed ....
diff --git a/ssl_fc_has_sni=0 b/ssl_fc_has_sni=0
 Jan 05 17:51:31 openshiftdev.local haproxy[17807]: frontend:public_ssl be_no_sni/fe_no_sni client_ip:10.245.1.2 client_port:42285 SSL_version:- SSL_cypher:- SNI:0 --
	global
	user haproxy
	group haproxy
	daemon
	log /dev/log local0

	defaults
	timeout connect 5s
	timeout client 30s
	timeout server 30s
	timeout tunnel 1h
	log-format frontend:%f\ %b/%s\ client_ip:%Ci\ client_port:%Cp\ SSL_version:%sslv\ SSL_cypher:%sslc\ SNI:%[ssl_fc_has_sni]\ %ts

	frontend public_ssl
	bind :443
	log global
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }

	use_backend be_sni if { ssl_fc_has_sni }
	use_backend be_sni if { hdr(host) -i www.example.com }
	default_backend be_no_sni
	#default_backend be_sni

	##########################################################################
	# TLS SNI
	##########################################################################
	backend be_sni
	server fe_sni 127.0.0.1:10444 weight 1 send-proxy

	frontend fe_sni
	#terminate by matching sni header to certificates in directory
	bind 127.0.0.1:10444 ssl crt /data/src/github.com/openshift/origin/images/router/haproxy/conf/certs accept-proxy no-sslv3
	default_backend openshift_default

	##########################################################################
	# END TLS SNI
	##########################################################################

	##########################################################################
	# TLS NO SNI
	##########################################################################
	frontend fe_no_sni
	bind 127.0.0.1:10443 ssl crt /data/src/github.com/openshift/origin/images/router/haproxy-base/conf/default_pub_keys.pem accept-proxy no-sslv3
	default_backend openshift_default

	# backend for when sni does not exist, or ssl term needs to happen on the edge
	backend be_no_sni
	server fe_no_sni 127.0.0.1:10443 weight 1 send-proxy

	##########################################################################
	# END TLS NO SNI
	##########################################################################
	backend openshift_default
	mode http
	option forwardfor
	option http-pretend-keepalive
	server openshift_backend 127.0.0.1:8080
	[vagrant@openshiftdev ~]$ openssl s_client -servername www.example.com -connect 10.245.1.2:443
	CONNECTED(00000003)
	depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-35-63-192, emailAddress = root@ip-10-35-63-192
	verify error:num=18:self signed certificate
	verify return:1
	depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-35-63-192, emailAddress = root@ip-10-35-63-192
	verify return:1
	---
	Certificate chain
	0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-63-192/emailAddress=root@ip-10-35-63-192
	i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ip-10-35-63-192/emailAddress=root@ip-10-35-63-192
	---
	.... removed ....