HAProxy and using SNI on backends

Ronald.Carter · Sep 7, 2016, 3:12 AM

I am trying to setup PFSense and HAproxy as a reverse proxy.
I have this working with both http and https sites but only with http backends
All of my backends require SNI to access over SSL so I can't use https://10.140.240.84 I need the backend to be thingo.mydomain.com.au as 10.140.240.81 hosts 6 different IIS websites.
I can't figure out how to do that yet.

I have setup a internal DNS zone so my local clients all use external addresses internally.

The other one is how to do that for a internally load balanced AD Federation Servers

I have Server 110.140.240.113 and Server 2 10.140.240.114 using 10.140.240.115 as the load balanced addressed via fs.mydomain.com.au
with the check address of https://fs.mydomain.com.au/adfs/ls/IdpInitiatedSignon.aspx

PiBa · Sep 7, 2016, 6:42 PM

For healthchecks.. your out of luck.. They cant (yet) use SNI.. so need to allow requests without it, or check health on the http port..
As for the actual user requests you could try setting the server with a advanced sni option. http://cbonte.github.io/haproxy-dconv/1.7/snapshot/configuration.html#5.2-sni

Spix · Nov 15, 2017, 12:36 PM

Hello,

Anybody knows if the pfSense with Haproxy can do Health checks to WAP-servers, needs to be SNI compatible.

?

PiBa · Nov 15, 2017, 7:37 PM

Haproxy 1.8rc3 should be able to use "check-sni". http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-check-sni but aint released yet. Maybe i can change the haproxy-devel to use it..

Spix · Nov 17, 2017, 1:32 PM

@PiBa:

Haproxy 1.8rc3 should be able to use "check-sni". http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-check-sni but aint released yet. Maybe i can change the haproxy-devel to use it..

Would be great, or even Amazing. Then it would be possible to Health check Microsoft WAP-servers without destroying it´s bindning ti 0.0.0.0:443

Spix · Dec 7, 2017, 7:36 PM

@PiBa:

Haproxy 1.8rc3 should be able to use "check-sni". http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-check-sni but aint released yet. Maybe i can change the haproxy-devel to use it..

Hello,When are you guys planing to make this available? :)

PiBa · Dec 7, 2017, 7:55 PM

haproxy 1.8.0release is available in the haproxy-devel package.. but there is a issue in that version with mail-alerts.. and a few other quirks that are still being fixed in haproxy itself..

anexus115 · Dec 18, 2017, 9:50 PM

Hello,
Do you have some info if now we can force the SNI between haproxy and backend servers ?
I have one backend server which cannot communicate without SNI.

Thanks

PiBa · Dec 18, 2017, 11:07 PM

put this into the server advanced field on the backend.?:sni vhost1.yourdomain.local check-sni vhost1.yourdomain.localorsni ssl_fc_sni check-sni vhost1.yourdomain.localor```
sni hdr(Host) check-sni vhost1.yourdomain.local

anexus115 · Dec 19, 2017, 7:44 AM

Hello,

Thank you for your reply,
The line with ssl_fc_sni working fine (haproxy devel).

Regard’s,

Spix · Apr 12, 2018, 8:49 AM

Hello, when wil this SNI functionality be implemented in production release package for HaProxy?

I would lika to have SNI support, and support for SNI Health check to backend.

Would be awesome to have!

PiBa · Apr 12, 2018, 5:59 PM

Well check-sni depends on 1.8 so probably when upstream BSD ports decides to switch the 'haproxy' port to 1.8 and then a little while after that..

1.7 supports 'sni' on backend server line
1.8 supports 'sni' and 'check-sni' on backend server line

'sni' on frontend bind line is supported by both..

Spix · Apr 13, 2018, 11:50 AM

THX :)