Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy SSL setup plus filtering URLs

    Scheduled Pinned Locked Moved
    Cache/Proxy
    2
    3
    598
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      martin.riess
      last edited by

      Hello.

      I am new to HAProxy and would like to set up HAProxy to proxy multiple SSL sites that are on servers inside the LAN.
      I am unsure about which mode/type to use, HAProxy has 2 modes, pfsense GUI offers 3 types.

      To make things interesting, it is important that I only allow access to certain urls of each server.

      So far I managed to set up the proxy using ssl type and was able to access the backend server.
      BUT (of course) I can't filter by URL then, as HAProxy can only see the SNI and nothing else.

      Any suggestions how to properly handle this situation? Is the only solution to block the traffic on the SSL server where the pages reside? (Ending SSL at the HAProxy and continuing plain http is not an option, because of security considerations.)

      I'd be glad for some input and help.
      Thanks in advance.
      M

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @martin.riess
        last edited by

        @martin-riess
        Without decrypting the traffic it is impossible to filter specific url paths..

        Maybe to resolve the secyrity consideration you could re-encrypt the traffic leaving haproxy when it is send to the webservers? There is a ssl checkbox on the server configuration that does that.. Make sure to also configure the ca cert to use for verification then..

        Other than that, indeed the servers would need to filter blocked pages themselves.

        M 1 Reply Last reply Reply Quote 0
        • M
          martin.riess @PiBa
          last edited by

          @piba
          Okay, thank you for confirming. I will go with decoding and encoding the traffic. Blocking the traffic at the first possible stop and having one central place for the configuration seems the better option (for me).

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.