HAProxy and using SNI on backends
-
I am trying to setup PFSense and HAproxy as a reverse proxy.
I have this working with both http and https sites but only with http backends
All of my backends require SNI to access over SSL so I can't use https://10.140.240.84 I need the backend to be thingo.mydomain.com.au as 10.140.240.81 hosts 6 different IIS websites.
I can't figure out how to do that yet.I have setup a internal DNS zone so my local clients all use external addresses internally.
The other one is how to do that for a internally load balanced AD Federation Servers
I have Server 110.140.240.113 and Server 2 10.140.240.114 using 10.140.240.115 as the load balanced addressed via fs.mydomain.com.au
with the check address of https://fs.mydomain.com.au/adfs/ls/IdpInitiatedSignon.aspx -
For healthchecks.. your out of luck.. They cant (yet) use SNI.. so need to allow requests without it, or check health on the http port..
As for the actual user requests you could try setting the server with a advanced sni option. http://cbonte.github.io/haproxy-dconv/1.7/snapshot/configuration.html#5.2-sni -
Hello,
Anybody knows if the pfSense with Haproxy can do Health checks to WAP-servers, needs to be SNI compatible.
?
-
Haproxy 1.8rc3 should be able to use "check-sni". http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-check-sni but aint released yet. Maybe i can change the haproxy-devel to use it..
-
Haproxy 1.8rc3 should be able to use "check-sni". http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-check-sni but aint released yet. Maybe i can change the haproxy-devel to use it..
Would be great, or even Amazing. Then it would be possible to Health check Microsoft WAP-servers without destroying it´s bindning ti 0.0.0.0:443
-
Haproxy 1.8rc3 should be able to use "check-sni". http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-check-sni but aint released yet. Maybe i can change the haproxy-devel to use it..
Hello,When are you guys planing to make this available? :)
-
haproxy 1.8.0release is available in the haproxy-devel package.. but there is a issue in that version with mail-alerts.. and a few other quirks that are still being fixed in haproxy itself..
-
Hello,
Do you have some info if now we can force the SNI between haproxy and backend servers ?
I have one backend server which cannot communicate without SNI.Thanks
-
put this into the server advanced field on the backend.?:
sni vhost1.yourdomain.local check-sni vhost1.yourdomain.localorsni ssl_fc_sni check-sni vhost1.yourdomain.localor```
sni hdr(Host) check-sni vhost1.yourdomain.local -
Hello,
Thank you for your reply,
The line with ssl_fc_sni working fine (haproxy devel).Regard’s,
-
Hello, when wil this SNI functionality be implemented in production release package for HaProxy?
I would lika to have SNI support, and support for SNI Health check to backend.
Would be awesome to have!
-
Well check-sni depends on 1.8 so probably when upstream BSD ports decides to switch the 'haproxy' port to 1.8 and then a little while after that..
1.7 supports 'sni' on backend server line
1.8 supports 'sni' and 'check-sni' on backend server line'sni' on frontend bind line is supported by both..
-
THX :)