HAProxy: one site needs ssl offloading, another doesn't, how to accommodate both?
-
Hi guys,
I have 2 domain, say, aaa.my.tld (a VM) and bbb.my.tld (a docker);
Each frontend works well with HAProxy on its own (when the other's frontend is disabled):
A. aaa.my.tld terminates ssl at the VM level so it doesn't need ssl offloading by pfsense.
DDNS + HAProxy + Frontend A (WITHOUT ssl-offloading) + Backend AB. bbb.my.tld is a docker and doesn't have its own certificates, so it does need ssl offloading by pfsense.
DDNS + HAProxy + Frontend B (WITH ssl-offloading) + Backend BBut how do I make HAProxy work with both simultaneously?
What's blocking me is the following option, which is enabled/disabled at the frontend level:
pfSense asks me to use "shared frontend", i tried but didn't success.
Does someone know how to set it up? Thanks!
-
@ceffy
Move 'FrontendB' to a loopback interface or the lan or use a nonstandard port...
Give the 'Frontend A' a acl that checks for the SNI hostname of bbb.my.tld, then create a use-backend action for that acl and create a new backend 'ForwardToFrontendB' that will then provide a servercertificate to the client as usual. Yes its a extra 'roundtrip' but you cant configure 1 binding to do both sni/tcpforwarding and https-offloading at the same time.. -
Edit:
I found this:
https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backendsMust be what you were referring to. I'm experimenting it now.
Edit 2:
HOLY SHIT, I got it working now (after following your guide to the letter of the words):
https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backendsTHANK YOU THANK YOU THANK YOU THANK YOU!
LOVE YOU! HAPPY NEW YEAR!
-
@PiBa Thank you! This advice saved me from drastic measures!