HAProxy - URL Redirect/Rewrite with SNI
-
Hello @here,
I could do with some advice on configuring haproxy to redirect or rewrite an inbound https request (helper url) to a different URL and intended web-server.
I essentially am using a helper url like https://abc-123 which resolves to the WAN interface of the pfSense (firewall rules enabled for 443, wan eth). Once the traffic hits the WAN interface, I need haproxy to interpret the hostname e.g. 'abc-123' and return a redirect response which should tell the client browser to connect to https://youshouldgohere.
What is the best option to get this configured, as all my attempts with frontend configuration have failed.
The following is the configuration I have currently applied:
Frontend ACL: Server Name Indication TLS extension matches: https://abc-123
Actions: http-request header replace value find abc-123 replace youshouldgohere.Any help you can offer, is much appreciated.
Les
-
@LesF
ServerNameIndication SNI is used on TCP frontends that accept SSL (without decrypting it..) As such haproxy cannot see or alter nor respond with a HTTP result (like a redirect) for such requests..Also its impossible to send a HTTP-redirect if the SSL-handshake didn't complete (for any program haproxy/nginx/apache or whatever else) if thats what you wanted thats a no-go..
First to make haproxy understand whats going on on the HTTP layer inside SSL it needs to decrypt the traffic with a certificate that should be trusted by the browser (perhaps your own CA infrastructure with ca-cert installed on the clients?) (if you dont want to have users click through warnings that is..).
So use a server-certificate for domain abc-123 on the haproxy frontend, use a acl to check the Host header for a specific hostname requested again abc-123, and perform the action http-request redirect with value: 'location https://gohere' that should work.. If i understood the question properly..
-
Thanks very much PiBA for your response. If I understand correctly, even in passthrough mode, haproxy cannot read the sni details and subsequently redirect the traffic to a different URL?
-
@LesF
In TCP mode (where traffic passes through unchanged) Haproxy can read the SNI 'hostname' requested.. But it cannot send a HTTP-reply. (a website-redirect is a Layer 7 HTTP action not a SSL Layer6 one..)
It can choose a different backend server with a acl checks for a specific requested hostname. But it doesn't sound like that's what your after..I think what you currently want is impossible.