HAProxy - URL Redirect/Rewrite with SNI
I could do with some advice on configuring haproxy to redirect or rewrite an inbound https request (helper url) to a different URL and intended web-server.
I essentially am using a helper url like https://abc-123 which resolves to the WAN interface of the pfSense (firewall rules enabled for 443, wan eth). Once the traffic hits the WAN interface, I need haproxy to interpret the hostname e.g. 'abc-123' and return a redirect response which should tell the client browser to connect to https://youshouldgohere.
What is the best option to get this configured, as all my attempts with frontend configuration have failed.
The following is the configuration I have currently applied:
Frontend ACL: Server Name Indication TLS extension matches: https://abc-123
Actions: http-request header replace value find abc-123 replace youshouldgohere.
Any help you can offer, is much appreciated.
ServerNameIndication SNI is used on TCP frontends that accept SSL (without decrypting it..) As such haproxy cannot see or alter nor respond with a HTTP result (like a redirect) for such requests..
Also its impossible to send a HTTP-redirect if the SSL-handshake didn't complete (for any program haproxy/nginx/apache or whatever else) if thats what you wanted thats a no-go..
First to make haproxy understand whats going on on the HTTP layer inside SSL it needs to decrypt the traffic with a certificate that should be trusted by the browser (perhaps your own CA infrastructure with ca-cert installed on the clients?) (if you dont want to have users click through warnings that is..).
So use a server-certificate for domain abc-123 on the haproxy frontend, use a acl to check the Host header for a specific hostname requested again abc-123, and perform the action http-request redirect with value: 'location https://gohere' that should work.. If i understood the question properly..
Thanks very much PiBA for your response. If I understand correctly, even in passthrough mode, haproxy cannot read the sni details and subsequently redirect the traffic to a different URL?
In TCP mode (where traffic passes through unchanged) Haproxy can read the SNI 'hostname' requested.. But it cannot send a HTTP-reply. (a website-redirect is a Layer 7 HTTP action not a SSL Layer6 one..)
It can choose a different backend server with a acl checks for a specific requested hostname. But it doesn't sound like that's what your after..
I think what you currently want is impossible.