HAProxy: one site needs ssl offloading, another doesn't, how to accommodate both?

ceffy · Dec 31, 2019, 1:51 AM

Hi guys,

I have 2 domain, say, aaa.my.tld (a VM) and bbb.my.tld (a docker);

Each frontend works well with HAProxy on its own (when the other's frontend is disabled):

A. aaa.my.tld terminates ssl at the VM level so it doesn't need ssl offloading by pfsense.
DDNS + HAProxy + Frontend A (WITHOUT ssl-offloading) + Backend A

B. bbb.my.tld is a docker and doesn't have its own certificates, so it does need ssl offloading by pfsense.
DDNS + HAProxy + Frontend B (WITH ssl-offloading) + Backend B

But how do I make HAProxy work with both simultaneously?

What's blocking me is the following option, which is enabled/disabled at the frontend level:

pfSense asks me to use "shared frontend", i tried but didn't success.

Does someone know how to set it up? Thanks!

PiBa · Dec 31, 2019, 1:51 AM

@ceffy
Move 'FrontendB' to a loopback interface or the lan or use a nonstandard port...
Give the 'Frontend A' a acl that checks for the SNI hostname of bbb.my.tld, then create a use-backend action for that acl and create a new backend 'ForwardToFrontendB' that will then provide a servercertificate to the client as usual. Yes its a extra 'roundtrip' but you cant configure 1 binding to do both sni/tcpforwarding and https-offloading at the same time..

ceffy · Dec 31, 2019, 9:57 PM

Edit:
I found this:
https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

Must be what you were referring to. I'm experimenting it now.

Edit 2:
HOLY SHIT, I got it working now (after following your guide to the letter of the words):
https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

THANK YOU THANK YOU THANK YOU THANK YOU!

LOVE YOU! HAPPY NEW YEAR!

scurrier · Feb 23, 2020, 12:15 AM

@PiBa Thank you! This advice saved me from drastic measures!