Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy - URL Redirect/Rewrite with SNI

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LesF
      last edited by

      Hello @here,

      I could do with some advice on configuring haproxy to redirect or rewrite an inbound https request (helper url) to a different URL and intended web-server.

      I essentially am using a helper url like https://abc-123 which resolves to the WAN interface of the pfSense (firewall rules enabled for 443, wan eth). Once the traffic hits the WAN interface, I need haproxy to interpret the hostname e.g. 'abc-123' and return a redirect response which should tell the client browser to connect to https://youshouldgohere.

      What is the best option to get this configured, as all my attempts with frontend configuration have failed.

      The following is the configuration I have currently applied:
      Frontend ACL: Server Name Indication TLS extension matches: https://abc-123
      Actions: http-request header replace value find abc-123 replace youshouldgohere.

      Any help you can offer, is much appreciated.

      Les

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @LesF
        last edited by

        @LesF
        ServerNameIndication SNI is used on TCP frontends that accept SSL (without decrypting it..) As such haproxy cannot see or alter nor respond with a HTTP result (like a redirect) for such requests..

        Also its impossible to send a HTTP-redirect if the SSL-handshake didn't complete (for any program haproxy/nginx/apache or whatever else) if thats what you wanted thats a no-go..

        First to make haproxy understand whats going on on the HTTP layer inside SSL it needs to decrypt the traffic with a certificate that should be trusted by the browser (perhaps your own CA infrastructure with ca-cert installed on the clients?) (if you dont want to have users click through warnings that is..).

        So use a server-certificate for domain abc-123 on the haproxy frontend, use a acl to check the Host header for a specific hostname requested again abc-123, and perform the action http-request redirect with value: 'location https://gohere' that should work.. If i understood the question properly..

        1 Reply Last reply Reply Quote 0
        • L
          LesF
          last edited by

          Thanks very much PiBA for your response. If I understand correctly, even in passthrough mode, haproxy cannot read the sni details and subsequently redirect the traffic to a different URL?

          P 1 Reply Last reply Reply Quote 0
          • P
            PiBa @LesF
            last edited by

            @LesF
            In TCP mode (where traffic passes through unchanged) Haproxy can read the SNI 'hostname' requested.. But it cannot send a HTTP-reply. (a website-redirect is a Layer 7 HTTP action not a SSL Layer6 one..)
            It can choose a different backend server with a acl checks for a specific requested hostname. But it doesn't sound like that's what your after..

            I think what you currently want is impossible.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.