HAProxy: one site needs ssl offloading, another doesn't, how to accommodate both?



  • Hi guys,

    I have 2 domain, say, aaa.my.tld (a VM) and bbb.my.tld (a docker);

    Each frontend works well with HAProxy on its own (when the other's frontend is disabled):

    A. aaa.my.tld terminates ssl at the VM level so it doesn't need ssl offloading by pfsense.
    DDNS + HAProxy + Frontend A (WITHOUT ssl-offloading) + Backend A

    B. bbb.my.tld is a docker and doesn't have its own certificates, so it does need ssl offloading by pfsense.
    DDNS + HAProxy + Frontend B (WITH ssl-offloading) + Backend B

    But how do I make HAProxy work with both simultaneously?

    What's blocking me is the following option, which is enabled/disabled at the frontend level:
    alt text

    pfSense asks me to use "shared frontend", i tried but didn't success.

    Does someone know how to set it up? Thanks!



  • @ceffy
    Move 'FrontendB' to a loopback interface or the lan or use a nonstandard port...
    Give the 'Frontend A' a acl that checks for the SNI hostname of bbb.my.tld, then create a use-backend action for that acl and create a new backend 'ForwardToFrontendB' that will then provide a servercertificate to the client as usual. Yes its a extra 'roundtrip' but you cant configure 1 binding to do both sni/tcpforwarding and https-offloading at the same time..



  • Edit:
    I found this:
    https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

    Must be what you were referring to. I'm experimenting it now.

    Edit 2:
    HOLY SHIT, I got it working now (after following your guide to the letter of the words):
    https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

    THANK YOU THANK YOU THANK YOU THANK YOU!

    LOVE YOU! HAPPY NEW YEAR!


Log in to reply