• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HAProxy - URL Redirect/Rewrite with SNI

Scheduled Pinned Locked Moved General pfSense Questions
4 Posts 2 Posters 2.1k Views 3 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L Offline
    LesF
    last edited by Oct 8, 2020, 5:18 PM

    Hello @here,

    I could do with some advice on configuring haproxy to redirect or rewrite an inbound https request (helper url) to a different URL and intended web-server.

    I essentially am using a helper url like https://abc-123 which resolves to the WAN interface of the pfSense (firewall rules enabled for 443, wan eth). Once the traffic hits the WAN interface, I need haproxy to interpret the hostname e.g. 'abc-123' and return a redirect response which should tell the client browser to connect to https://youshouldgohere.

    What is the best option to get this configured, as all my attempts with frontend configuration have failed.

    The following is the configuration I have currently applied:
    Frontend ACL: Server Name Indication TLS extension matches: https://abc-123
    Actions: http-request header replace value find abc-123 replace youshouldgohere.

    Any help you can offer, is much appreciated.

    Les

    P 1 Reply Last reply Oct 8, 2020, 6:39 PM Reply Quote 0
    • P Offline
      PiBa @LesF
      last edited by Oct 8, 2020, 6:39 PM

      @LesF
      ServerNameIndication SNI is used on TCP frontends that accept SSL (without decrypting it..) As such haproxy cannot see or alter nor respond with a HTTP result (like a redirect) for such requests..

      Also its impossible to send a HTTP-redirect if the SSL-handshake didn't complete (for any program haproxy/nginx/apache or whatever else) if thats what you wanted thats a no-go..

      First to make haproxy understand whats going on on the HTTP layer inside SSL it needs to decrypt the traffic with a certificate that should be trusted by the browser (perhaps your own CA infrastructure with ca-cert installed on the clients?) (if you dont want to have users click through warnings that is..).

      So use a server-certificate for domain abc-123 on the haproxy frontend, use a acl to check the Host header for a specific hostname requested again abc-123, and perform the action http-request redirect with value: 'location https://gohere' that should work.. If i understood the question properly..

      1 Reply Last reply Reply Quote 0
      • L Offline
        LesF
        last edited by Oct 11, 2020, 4:09 PM

        Thanks very much PiBA for your response. If I understand correctly, even in passthrough mode, haproxy cannot read the sni details and subsequently redirect the traffic to a different URL?

        P 1 Reply Last reply Oct 11, 2020, 5:21 PM Reply Quote 0
        • P Offline
          PiBa @LesF
          last edited by Oct 11, 2020, 5:21 PM

          @LesF
          In TCP mode (where traffic passes through unchanged) Haproxy can read the SNI 'hostname' requested.. But it cannot send a HTTP-reply. (a website-redirect is a Layer 7 HTTP action not a SSL Layer6 one..)
          It can choose a different backend server with a acl checks for a specific requested hostname. But it doesn't sound like that's what your after..

          I think what you currently want is impossible.

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received