HAProxy - URL Redirect/Rewrite with SNI

  • Hello @here,

    I could do with some advice on configuring haproxy to redirect or rewrite an inbound https request (helper url) to a different URL and intended web-server.

    I essentially am using a helper url like https://abc-123 which resolves to the WAN interface of the pfSense (firewall rules enabled for 443, wan eth). Once the traffic hits the WAN interface, I need haproxy to interpret the hostname e.g. 'abc-123' and return a redirect response which should tell the client browser to connect to https://youshouldgohere.

    What is the best option to get this configured, as all my attempts with frontend configuration have failed.

    The following is the configuration I have currently applied:
    Frontend ACL: Server Name Indication TLS extension matches: https://abc-123
    Actions: http-request header replace value find abc-123 replace youshouldgohere.

    Any help you can offer, is much appreciated.


  • @LesF
    ServerNameIndication SNI is used on TCP frontends that accept SSL (without decrypting it..) As such haproxy cannot see or alter nor respond with a HTTP result (like a redirect) for such requests..

    Also its impossible to send a HTTP-redirect if the SSL-handshake didn't complete (for any program haproxy/nginx/apache or whatever else) if thats what you wanted thats a no-go..

    First to make haproxy understand whats going on on the HTTP layer inside SSL it needs to decrypt the traffic with a certificate that should be trusted by the browser (perhaps your own CA infrastructure with ca-cert installed on the clients?) (if you dont want to have users click through warnings that is..).

    So use a server-certificate for domain abc-123 on the haproxy frontend, use a acl to check the Host header for a specific hostname requested again abc-123, and perform the action http-request redirect with value: 'location https://gohere' that should work.. If i understood the question properly..

  • Thanks very much PiBA for your response. If I understand correctly, even in passthrough mode, haproxy cannot read the sni details and subsequently redirect the traffic to a different URL?

  • @LesF
    In TCP mode (where traffic passes through unchanged) Haproxy can read the SNI 'hostname' requested.. But it cannot send a HTTP-reply. (a website-redirect is a Layer 7 HTTP action not a SSL Layer6 one..)
    It can choose a different backend server with a acl checks for a specific requested hostname. But it doesn't sound like that's what your after..

    I think what you currently want is impossible.

Log in to reply