HAProxy with SNI and different SSL SettingsSingle domain SSL presented for all domains on Shared IPHAProxy - ssl client ca chain cannot be verifiedHA-Proxy 301 re-direct: https to https://wwwAWS ELB with SSL backend adds proxy protocol inside SSL streamCapture and forward extended PKI cert attributes (e.g. UPN) using haproxySASL auth to LDAP behind HAPROXY with name mismatchesNo need to enable SNI for multiple SSL sites on same IP but using same wild card certificate?openldap with haproxy - (ldap_result() failed: Can't contact LDAP server)HAProxy does not perform SNI lookupPass-through SSL with HAProxy and vhosts on same IP

What is the status of the Lannisters after Season 8 Episode 5, "The Bells"?

Does the Rogue's Reliable Talent feature work for thieves' tools, since the rogue is proficient in them?

How to continually let my readers know what time it is in my story, in an organic way?

Windows 10 lock screen - display my own random images

Why commonly or frequently used fonts sizes are even numbers like 10px, 12px, 16px, 24px, or 32px?

Should I communicate in my applications that I'm unemployed out of choice rather than because nobody will have me?

How to rename multiple files in a directory at the same time

What dog breeds survive the apocalypse for generations?

I recently started my machine learning PhD and I have absolutely no idea what I'm doing

Single word that parallels "Recent" when discussing the near future

How does a permutation act on a string?

Will there be more tax deductions if I put the house completely under my name, versus doing a joint ownership?

How to not get blinded by an attack at dawn

Testing if os.path.exists with ArcPy?

Why is Drogon so much better in battle than Rhaegal and Viserion?

Using chord iii in a chord progression (major key)

Does it matter what way the tires go if no directional arrow?

Why did Varys remove his rings?

Holding rent money for my friend which amounts to over $10k?

Is there any good reason to write "it is easy to see"?

tikz drawing rectangle discretized with triangle lattices and its centroids

Why did the metro bus stop at each railway crossing, despite no warning indicating a train was coming?

With today's technology, could iron be smelted at La Rinconada?

Does addError() work outside of triggers?



HAProxy with SNI and different SSL Settings


Single domain SSL presented for all domains on Shared IPHAProxy - ssl client ca chain cannot be verifiedHA-Proxy 301 re-direct: https to https://wwwAWS ELB with SSL backend adds proxy protocol inside SSL streamCapture and forward extended PKI cert attributes (e.g. UPN) using haproxySASL auth to LDAP behind HAPROXY with name mismatchesNo need to enable SNI for multiple SSL sites on same IP but using same wild card certificate?openldap with haproxy - (ldap_result() failed: Can't contact LDAP server)HAProxy does not perform SNI lookupPass-through SSL with HAProxy and vhosts on same IP






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








8















I have HAProxy for my two sites, one of them public and one private.



www.mysite.com
private.mysite.com



Atm, I'm using haproxy like this:



frontend mysite_https
 bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3
 mode http
 acl domain_www hdr_beg(host) -i www.
 acl domain_private hdr_beg(host) -i private.
 acl path_ghost path_beg /ghost/
 acl clientcert ssl_c_used

 redirect location https://www.example.com if path_ghost !clientcert
 redirect location https://www.example.com if !domain_www !clientcert

 use_backend bknd_private if domain_private
 use_backend bknd_www if domain_www

 default_backend bknd_www


What this should do is ask for a client certificate (optionally) and proceed. If the domain is not www.example.com and the visitor cannot provide the right certificate or the path is /ghost/ and the visitor cannot provide the right certificate, it should be redirected to https://www.example.com



So far, this works fine. However, I got complaints by Mac users browsing my site with Safari that they keep getting asked for the certificate when there browsing on https://www.example.com/ whereas for example Firefox only asks when browsing https://private.example.com/ or https://www.example.com/ghost/.



Appearently that's just how Safari works so I can't fix that. My idea was to use SNI to divide between different frontends



frontend mysite_https
 bind *.443 ssl crt /etc/mycert.pem no-sslv3

frontend private_https
 bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3


Of course that doesn't work because



a. I can't have two frontends listening on port 443 with only one public IP
b. I haven't found a way yet to say "use_frontend if domain_www" or something like that. (Only use_backend or use-server)



I also tried doing it with three haproxy servers



frontend haproxy-sni
bind *:443 ssl crt /etc/mycert.pem no-sslv3
mode tcp

tcp-request inspect-delay 5s
tcp-request content accept if req.ssl_hello_type 1 

acl domain_www ssl_fc_sni_end -i www.example.com

use-server server1 haproxy-private.lan if !domain_www
use-server server2 haproxy-public.lan if domain_www


This works, the problem here however is that haproxy-private asks for the client certificate, but the request doesn't reach the browser. Somehow haproxy-sni drops the request.



Also, I now have three haproxy servers which is not desirable (although a possible option if I can't find a better solution).



Preferably I would like something like this (made up.. don't know the real options)



frontend mysite_https
 bind *.443 ssl crt /etc/mycert.pem no-sslv3
 mode http

 acl domain_www hdr_beg(host) -i www.
 acl domain_private hdr_beg(host) -i private.
 acl path_ghost path_beg /ghost/

 ssl_options ca-file /etc/myca.pem verify optional if !www_domain # made up!
 ssl_options ca-file /etc/myca.pem verify optional if !path_ghost # made up!

 acl clientcert ssl_c_used

 redirect location https://www.example.com if path_ghost !clientcert
 redirect location https://www.example.com if !domain_www !clientcert
 ...


I hope someone can help me with this...






ssl haproxy sni







share|improve this question




























    8















    I have HAProxy for my two sites, one of them public and one private.



    www.mysite.com
    private.mysite.com



    Atm, I'm using haproxy like this:



    frontend mysite_https
     bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3
     mode http
     acl domain_www hdr_beg(host) -i www.
     acl domain_private hdr_beg(host) -i private.
     acl path_ghost path_beg /ghost/
     acl clientcert ssl_c_used

     redirect location https://www.example.com if path_ghost !clientcert
     redirect location https://www.example.com if !domain_www !clientcert

     use_backend bknd_private if domain_private
     use_backend bknd_www if domain_www

     default_backend bknd_www


    What this should do is ask for a client certificate (optionally) and proceed. If the domain is not www.example.com and the visitor cannot provide the right certificate or the path is /ghost/ and the visitor cannot provide the right certificate, it should be redirected to https://www.example.com



    So far, this works fine. However, I got complaints by Mac users browsing my site with Safari that they keep getting asked for the certificate when there browsing on https://www.example.com/ whereas for example Firefox only asks when browsing https://private.example.com/ or https://www.example.com/ghost/.



    Appearently that's just how Safari works so I can't fix that. My idea was to use SNI to divide between different frontends



    frontend mysite_https
     bind *.443 ssl crt /etc/mycert.pem no-sslv3

    frontend private_https
     bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3


    Of course that doesn't work because



    a. I can't have two frontends listening on port 443 with only one public IP
    b. I haven't found a way yet to say "use_frontend if domain_www" or something like that. (Only use_backend or use-server)



    I also tried doing it with three haproxy servers



    frontend haproxy-sni
    bind *:443 ssl crt /etc/mycert.pem no-sslv3
    mode tcp

    tcp-request inspect-delay 5s
    tcp-request content accept if req.ssl_hello_type 1 

    acl domain_www ssl_fc_sni_end -i www.example.com

    use-server server1 haproxy-private.lan if !domain_www
    use-server server2 haproxy-public.lan if domain_www


    This works, the problem here however is that haproxy-private asks for the client certificate, but the request doesn't reach the browser. Somehow haproxy-sni drops the request.



    Also, I now have three haproxy servers which is not desirable (although a possible option if I can't find a better solution).



    Preferably I would like something like this (made up.. don't know the real options)



    frontend mysite_https
     bind *.443 ssl crt /etc/mycert.pem no-sslv3
     mode http

     acl domain_www hdr_beg(host) -i www.
     acl domain_private hdr_beg(host) -i private.
     acl path_ghost path_beg /ghost/

     ssl_options ca-file /etc/myca.pem verify optional if !www_domain # made up!
     ssl_options ca-file /etc/myca.pem verify optional if !path_ghost # made up!

     acl clientcert ssl_c_used

     redirect location https://www.example.com if path_ghost !clientcert
     redirect location https://www.example.com if !domain_www !clientcert
     ...


    I hope someone can help me with this...






    ssl haproxy sni







    share|improve this question
























      8












      8








      8


      7






      I have HAProxy for my two sites, one of them public and one private.



      www.mysite.com
      private.mysite.com



      Atm, I'm using haproxy like this:



      frontend mysite_https
       bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3
       mode http
       acl domain_www hdr_beg(host) -i www.
       acl domain_private hdr_beg(host) -i private.
       acl path_ghost path_beg /ghost/
       acl clientcert ssl_c_used

       redirect location https://www.example.com if path_ghost !clientcert
       redirect location https://www.example.com if !domain_www !clientcert

       use_backend bknd_private if domain_private
       use_backend bknd_www if domain_www

       default_backend bknd_www


      What this should do is ask for a client certificate (optionally) and proceed. If the domain is not www.example.com and the visitor cannot provide the right certificate or the path is /ghost/ and the visitor cannot provide the right certificate, it should be redirected to https://www.example.com



      So far, this works fine. However, I got complaints by Mac users browsing my site with Safari that they keep getting asked for the certificate when there browsing on https://www.example.com/ whereas for example Firefox only asks when browsing https://private.example.com/ or https://www.example.com/ghost/.



      Appearently that's just how Safari works so I can't fix that. My idea was to use SNI to divide between different frontends



      frontend mysite_https
       bind *.443 ssl crt /etc/mycert.pem no-sslv3

      frontend private_https
       bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3


      Of course that doesn't work because



      a. I can't have two frontends listening on port 443 with only one public IP
      b. I haven't found a way yet to say "use_frontend if domain_www" or something like that. (Only use_backend or use-server)



      I also tried doing it with three haproxy servers



      frontend haproxy-sni
      bind *:443 ssl crt /etc/mycert.pem no-sslv3
      mode tcp

      tcp-request inspect-delay 5s
      tcp-request content accept if req.ssl_hello_type 1 

      acl domain_www ssl_fc_sni_end -i www.example.com

      use-server server1 haproxy-private.lan if !domain_www
      use-server server2 haproxy-public.lan if domain_www


      This works, the problem here however is that haproxy-private asks for the client certificate, but the request doesn't reach the browser. Somehow haproxy-sni drops the request.



      Also, I now have three haproxy servers which is not desirable (although a possible option if I can't find a better solution).



      Preferably I would like something like this (made up.. don't know the real options)



      frontend mysite_https
       bind *.443 ssl crt /etc/mycert.pem no-sslv3
       mode http

       acl domain_www hdr_beg(host) -i www.
       acl domain_private hdr_beg(host) -i private.
       acl path_ghost path_beg /ghost/

       ssl_options ca-file /etc/myca.pem verify optional if !www_domain # made up!
       ssl_options ca-file /etc/myca.pem verify optional if !path_ghost # made up!

       acl clientcert ssl_c_used

       redirect location https://www.example.com if path_ghost !clientcert
       redirect location https://www.example.com if !domain_www !clientcert
       ...


      I hope someone can help me with this...






      ssl haproxy sni







      share|improve this question














      I have HAProxy for my two sites, one of them public and one private.



      www.mysite.com
      private.mysite.com



      Atm, I'm using haproxy like this:



      frontend mysite_https
       bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3
       mode http
       acl domain_www hdr_beg(host) -i www.
       acl domain_private hdr_beg(host) -i private.
       acl path_ghost path_beg /ghost/
       acl clientcert ssl_c_used

       redirect location https://www.example.com if path_ghost !clientcert
       redirect location https://www.example.com if !domain_www !clientcert

       use_backend bknd_private if domain_private
       use_backend bknd_www if domain_www

       default_backend bknd_www


      What this should do is ask for a client certificate (optionally) and proceed. If the domain is not www.example.com and the visitor cannot provide the right certificate or the path is /ghost/ and the visitor cannot provide the right certificate, it should be redirected to https://www.example.com



      So far, this works fine. However, I got complaints by Mac users browsing my site with Safari that they keep getting asked for the certificate when there browsing on https://www.example.com/ whereas for example Firefox only asks when browsing https://private.example.com/ or https://www.example.com/ghost/.



      Appearently that's just how Safari works so I can't fix that. My idea was to use SNI to divide between different frontends



      frontend mysite_https
       bind *.443 ssl crt /etc/mycert.pem no-sslv3

      frontend private_https
       bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3


      Of course that doesn't work because



      a. I can't have two frontends listening on port 443 with only one public IP
      b. I haven't found a way yet to say "use_frontend if domain_www" or something like that. (Only use_backend or use-server)



      I also tried doing it with three haproxy servers



      frontend haproxy-sni
      bind *:443 ssl crt /etc/mycert.pem no-sslv3
      mode tcp

      tcp-request inspect-delay 5s
      tcp-request content accept if req.ssl_hello_type 1 

      acl domain_www ssl_fc_sni_end -i www.example.com

      use-server server1 haproxy-private.lan if !domain_www
      use-server server2 haproxy-public.lan if domain_www


      This works, the problem here however is that haproxy-private asks for the client certificate, but the request doesn't reach the browser. Somehow haproxy-sni drops the request.



      Also, I now have three haproxy servers which is not desirable (although a possible option if I can't find a better solution).



      Preferably I would like something like this (made up.. don't know the real options)



      frontend mysite_https
       bind *.443 ssl crt /etc/mycert.pem no-sslv3
       mode http

       acl domain_www hdr_beg(host) -i www.
       acl domain_private hdr_beg(host) -i private.
       acl path_ghost path_beg /ghost/

       ssl_options ca-file /etc/myca.pem verify optional if !www_domain # made up!
       ssl_options ca-file /etc/myca.pem verify optional if !path_ghost # made up!

       acl clientcert ssl_c_used

       redirect location https://www.example.com if path_ghost !clientcert
       redirect location https://www.example.com if !domain_www !clientcert
       ...


      I hope someone can help me with this...






      ssl haproxy sni




      ssl haproxy sni






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 27 '15 at 11:51









      mohrphiummohrphium

      3752716




      3752716




















          2 Answers
          2






          active

          oldest

          votes


















          11














          I found a solution to this problem, that doesn't require additional servers or services.
          I'm not entirely sure if this doesn't spawn new problems though. For me it seems to work right now.



          The way I did it, was to create a frontend for each domain that required different ssl settings. I then set the bind option of those frontends to high ports (these are not reachable from public!).



          I created another frontend listening on port :443 to divide traffic based on SNI, and set the backend servers to 127.0.0.1:high-port.



          This way, I created sort of a loop in haproxy



          [incoming]->[haproxy:443]->[haproxy:7000]->[www.intern.lan]
          [incoming]->[haproxy:443]->[haproxy:8000]->[private.intern.lan]


          Here is the config part.



          frontend frnd_snipt # Frontend_SNI-PassThrough (snipt)
           bind *:443 # Do not use bind *:8443 ssl crt etc....!
           option tcplog
           mode tcp 

           tcp-request inspect-delay 5s
           tcp-request content accept if req_ssl_hello_type 1 

           acl subdomain_is_www req_ssl_sni -i www.example.com
           acl subdomain_is_www req_ssl_sni -i example.com
           acl subdomain_is_private req_ssl_sni -i private.example.com

           use_backend bknd_snipt_private if subdomain_is_private
           use_backend bknd_snipt_www if subdomain_is_www

          backend bknd_snipt_www
           mode tcp # tcp mode must match the frontend mode - already set as default in [global]
           server snipt-www 127.0.0.1:7000 # run without "check", otherwise haproxy checks itself all the time!

          backend bknd_snipt_private
           mode tcp 
           server snipt-private 127.0.0.1:8000 # also, don't add "ssl" when in tcp mode. "ssl" is an http mode option (result in "NO-SRV" when set in tcp)

          ##### NORMAL HAPROXY PART #####
          frontend www_example_com # this frontend can be in tcp or http mode...
           bind *:7000 ssl crt /etc/mycert.pem no-sslv3 # www. frontend with normal https
           mode http
           option httplog


          frontend private_example_com
           bind *:8000 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3 # private. frontend with client certificate request.
           mode http
           option httplog
           ... # whatever you have in your frontend


          If anyone has thoughts on this, or any idea why this could be a bad idea please let me know. It works, but I'm wondering why use_frontend isn't an option. Maybe because it's something that shouldn't be done for whatever reasons.






          share|improve this answer























          • Good idea. I could not find documentation on this setup either. Is performance similar with this HAProxy loop ?

            – JB.
            Aug 24 '15 at 9:25











          • Sry, i don't know how performant it is because A: didn't use it for long (because of source ip filters), B: don't have a hight traffic site, where performance optimization would be more interesting...

            – mohrphium
            Aug 24 '15 at 16:33












          • I just put apache2 in front of haproxy, which works but is sort of stupid because single-point-of-failure in front of hapeoxy cluster and (i think) performance bottleneck (i think hap is faster than ap2, got no real data on that though.)

            – mohrphium
            Aug 24 '15 at 16:41


















          1














          recent versions of haproxy support a setting called crt-list which allows you to specify different TLS settings based on the matched certificate



          you can use it like this:



          haproxy.conf:



          frontend https
           mode http
           bind *:443 ssl crt-list /etc/haproxy/crt-list.conf ca-file ca.pem

           use_backend test if ssl_fc_sni -i test.area.example.org 
           use_backend private if ssl_fc_sni -i private.example.org 
           default_backend www


          crt-list.conf:



          www.pem [verify none]
          www.pem [verify required] *.area.example.org
          private.pem [verify required]


          more info: https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-crt-list



          note on security: always match your (sensitive) hostnames against SNI ssl_fc_sni, not the HTTP hostname. Otherwise an attacker could possibly bypass your client cert auth by sending the TLS SNI of www.example.org but set the HTTP hostname to private.example.org!






          share|improve this answer























            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "2"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f662662%2fhaproxy-with-sni-and-different-ssl-settings%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            11














            I found a solution to this problem, that doesn't require additional servers or services.
            I'm not entirely sure if this doesn't spawn new problems though. For me it seems to work right now.



            The way I did it, was to create a frontend for each domain that required different ssl settings. I then set the bind option of those frontends to high ports (these are not reachable from public!).



            I created another frontend listening on port :443 to divide traffic based on SNI, and set the backend servers to 127.0.0.1:high-port.



            This way, I created sort of a loop in haproxy



            [incoming]->[haproxy:443]->[haproxy:7000]->[www.intern.lan]
            [incoming]->[haproxy:443]->[haproxy:8000]->[private.intern.lan]


            Here is the config part.



            frontend frnd_snipt # Frontend_SNI-PassThrough (snipt)
             bind *:443 # Do not use bind *:8443 ssl crt etc....!
             option tcplog
             mode tcp 

             tcp-request inspect-delay 5s
             tcp-request content accept if req_ssl_hello_type 1 

             acl subdomain_is_www req_ssl_sni -i www.example.com
             acl subdomain_is_www req_ssl_sni -i example.com
             acl subdomain_is_private req_ssl_sni -i private.example.com

             use_backend bknd_snipt_private if subdomain_is_private
             use_backend bknd_snipt_www if subdomain_is_www

            backend bknd_snipt_www
             mode tcp # tcp mode must match the frontend mode - already set as default in [global]
             server snipt-www 127.0.0.1:7000 # run without "check", otherwise haproxy checks itself all the time!

            backend bknd_snipt_private
             mode tcp 
             server snipt-private 127.0.0.1:8000 # also, don't add "ssl" when in tcp mode. "ssl" is an http mode option (result in "NO-SRV" when set in tcp)

            ##### NORMAL HAPROXY PART #####
            frontend www_example_com # this frontend can be in tcp or http mode...
             bind *:7000 ssl crt /etc/mycert.pem no-sslv3 # www. frontend with normal https
             mode http
             option httplog


            frontend private_example_com
             bind *:8000 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3 # private. frontend with client certificate request.
             mode http
             option httplog
             ... # whatever you have in your frontend


            If anyone has thoughts on this, or any idea why this could be a bad idea please let me know. It works, but I'm wondering why use_frontend isn't an option. Maybe because it's something that shouldn't be done for whatever reasons.






            share|improve this answer























            • Good idea. I could not find documentation on this setup either. Is performance similar with this HAProxy loop ?

              – JB.
              Aug 24 '15 at 9:25











            • Sry, i don't know how performant it is because A: didn't use it for long (because of source ip filters), B: don't have a hight traffic site, where performance optimization would be more interesting...

              – mohrphium
              Aug 24 '15 at 16:33












            • I just put apache2 in front of haproxy, which works but is sort of stupid because single-point-of-failure in front of hapeoxy cluster and (i think) performance bottleneck (i think hap is faster than ap2, got no real data on that though.)

              – mohrphium
              Aug 24 '15 at 16:41















            11














            I found a solution to this problem, that doesn't require additional servers or services.
            I'm not entirely sure if this doesn't spawn new problems though. For me it seems to work right now.



            The way I did it, was to create a frontend for each domain that required different ssl settings. I then set the bind option of those frontends to high ports (these are not reachable from public!).



            I created another frontend listening on port :443 to divide traffic based on SNI, and set the backend servers to 127.0.0.1:high-port.



            This way, I created sort of a loop in haproxy



            [incoming]->[haproxy:443]->[haproxy:7000]->[www.intern.lan]
            [incoming]->[haproxy:443]->[haproxy:8000]->[private.intern.lan]


            Here is the config part.



            frontend frnd_snipt # Frontend_SNI-PassThrough (snipt)
             bind *:443 # Do not use bind *:8443 ssl crt etc....!
             option tcplog
             mode tcp 

             tcp-request inspect-delay 5s
             tcp-request content accept if req_ssl_hello_type 1 

             acl subdomain_is_www req_ssl_sni -i www.example.com
             acl subdomain_is_www req_ssl_sni -i example.com
             acl subdomain_is_private req_ssl_sni -i private.example.com

             use_backend bknd_snipt_private if subdomain_is_private
             use_backend bknd_snipt_www if subdomain_is_www

            backend bknd_snipt_www
             mode tcp # tcp mode must match the frontend mode - already set as default in [global]
             server snipt-www 127.0.0.1:7000 # run without "check", otherwise haproxy checks itself all the time!

            backend bknd_snipt_private
             mode tcp 
             server snipt-private 127.0.0.1:8000 # also, don't add "ssl" when in tcp mode. "ssl" is an http mode option (result in "NO-SRV" when set in tcp)

            ##### NORMAL HAPROXY PART #####
            frontend www_example_com # this frontend can be in tcp or http mode...
             bind *:7000 ssl crt /etc/mycert.pem no-sslv3 # www. frontend with normal https
             mode http
             option httplog


            frontend private_example_com
             bind *:8000 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3 # private. frontend with client certificate request.
             mode http
             option httplog
             ... # whatever you have in your frontend


            If anyone has thoughts on this, or any idea why this could be a bad idea please let me know. It works, but I'm wondering why use_frontend isn't an option. Maybe because it's something that shouldn't be done for whatever reasons.






            share|improve this answer























            • Good idea. I could not find documentation on this setup either. Is performance similar with this HAProxy loop ?

              – JB.
              Aug 24 '15 at 9:25











            • Sry, i don't know how performant it is because A: didn't use it for long (because of source ip filters), B: don't have a hight traffic site, where performance optimization would be more interesting...

              – mohrphium
              Aug 24 '15 at 16:33












            • I just put apache2 in front of haproxy, which works but is sort of stupid because single-point-of-failure in front of hapeoxy cluster and (i think) performance bottleneck (i think hap is faster than ap2, got no real data on that though.)

              – mohrphium
              Aug 24 '15 at 16:41













            11












            11








            11







            I found a solution to this problem, that doesn't require additional servers or services.
            I'm not entirely sure if this doesn't spawn new problems though. For me it seems to work right now.



            The way I did it, was to create a frontend for each domain that required different ssl settings. I then set the bind option of those frontends to high ports (these are not reachable from public!).



            I created another frontend listening on port :443 to divide traffic based on SNI, and set the backend servers to 127.0.0.1:high-port.



            This way, I created sort of a loop in haproxy



            [incoming]->[haproxy:443]->[haproxy:7000]->[www.intern.lan]
            [incoming]->[haproxy:443]->[haproxy:8000]->[private.intern.lan]


            Here is the config part.



            frontend frnd_snipt # Frontend_SNI-PassThrough (snipt)
             bind *:443 # Do not use bind *:8443 ssl crt etc....!
             option tcplog
             mode tcp 

             tcp-request inspect-delay 5s
             tcp-request content accept if req_ssl_hello_type 1 

             acl subdomain_is_www req_ssl_sni -i www.example.com
             acl subdomain_is_www req_ssl_sni -i example.com
             acl subdomain_is_private req_ssl_sni -i private.example.com

             use_backend bknd_snipt_private if subdomain_is_private
             use_backend bknd_snipt_www if subdomain_is_www

            backend bknd_snipt_www
             mode tcp # tcp mode must match the frontend mode - already set as default in [global]
             server snipt-www 127.0.0.1:7000 # run without "check", otherwise haproxy checks itself all the time!

            backend bknd_snipt_private
             mode tcp 
             server snipt-private 127.0.0.1:8000 # also, don't add "ssl" when in tcp mode. "ssl" is an http mode option (result in "NO-SRV" when set in tcp)

            ##### NORMAL HAPROXY PART #####
            frontend www_example_com # this frontend can be in tcp or http mode...
             bind *:7000 ssl crt /etc/mycert.pem no-sslv3 # www. frontend with normal https
             mode http
             option httplog


            frontend private_example_com
             bind *:8000 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3 # private. frontend with client certificate request.
             mode http
             option httplog
             ... # whatever you have in your frontend


            If anyone has thoughts on this, or any idea why this could be a bad idea please let me know. It works, but I'm wondering why use_frontend isn't an option. Maybe because it's something that shouldn't be done for whatever reasons.






            share|improve this answer













            I found a solution to this problem, that doesn't require additional servers or services.
            I'm not entirely sure if this doesn't spawn new problems though. For me it seems to work right now.



            The way I did it, was to create a frontend for each domain that required different ssl settings. I then set the bind option of those frontends to high ports (these are not reachable from public!).



            I created another frontend listening on port :443 to divide traffic based on SNI, and set the backend servers to 127.0.0.1:high-port.



            This way, I created sort of a loop in haproxy



            [incoming]->[haproxy:443]->[haproxy:7000]->[www.intern.lan]
            [incoming]->[haproxy:443]->[haproxy:8000]->[private.intern.lan]


            Here is the config part.



            frontend frnd_snipt # Frontend_SNI-PassThrough (snipt)
             bind *:443 # Do not use bind *:8443 ssl crt etc....!
             option tcplog
             mode tcp 

             tcp-request inspect-delay 5s
             tcp-request content accept if req_ssl_hello_type 1 

             acl subdomain_is_www req_ssl_sni -i www.example.com
             acl subdomain_is_www req_ssl_sni -i example.com
             acl subdomain_is_private req_ssl_sni -i private.example.com

             use_backend bknd_snipt_private if subdomain_is_private
             use_backend bknd_snipt_www if subdomain_is_www

            backend bknd_snipt_www
             mode tcp # tcp mode must match the frontend mode - already set as default in [global]
             server snipt-www 127.0.0.1:7000 # run without "check", otherwise haproxy checks itself all the time!

            backend bknd_snipt_private
             mode tcp 
             server snipt-private 127.0.0.1:8000 # also, don't add "ssl" when in tcp mode. "ssl" is an http mode option (result in "NO-SRV" when set in tcp)

            ##### NORMAL HAPROXY PART #####
            frontend www_example_com # this frontend can be in tcp or http mode...
             bind *:7000 ssl crt /etc/mycert.pem no-sslv3 # www. frontend with normal https
             mode http
             option httplog


            frontend private_example_com
             bind *:8000 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3 # private. frontend with client certificate request.
             mode http
             option httplog
             ... # whatever you have in your frontend


            If anyone has thoughts on this, or any idea why this could be a bad idea please let me know. It works, but I'm wondering why use_frontend isn't an option. Maybe because it's something that shouldn't be done for whatever reasons.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Jan 31 '15 at 10:29









            mohrphiummohrphium

            3752716




            3752716












            • Good idea. I could not find documentation on this setup either. Is performance similar with this HAProxy loop ?

              – JB.
              Aug 24 '15 at 9:25











            • Sry, i don't know how performant it is because A: didn't use it for long (because of source ip filters), B: don't have a hight traffic site, where performance optimization would be more interesting...

              – mohrphium
              Aug 24 '15 at 16:33












            • I just put apache2 in front of haproxy, which works but is sort of stupid because single-point-of-failure in front of hapeoxy cluster and (i think) performance bottleneck (i think hap is faster than ap2, got no real data on that though.)

              – mohrphium
              Aug 24 '15 at 16:41

















            • Good idea. I could not find documentation on this setup either. Is performance similar with this HAProxy loop ?

              – JB.
              Aug 24 '15 at 9:25











            • Sry, i don't know how performant it is because A: didn't use it for long (because of source ip filters), B: don't have a hight traffic site, where performance optimization would be more interesting...

              – mohrphium
              Aug 24 '15 at 16:33












            • I just put apache2 in front of haproxy, which works but is sort of stupid because single-point-of-failure in front of hapeoxy cluster and (i think) performance bottleneck (i think hap is faster than ap2, got no real data on that though.)

              – mohrphium
              Aug 24 '15 at 16:41
















            Good idea. I could not find documentation on this setup either. Is performance similar with this HAProxy loop ?

            – JB.
            Aug 24 '15 at 9:25





            Good idea. I could not find documentation on this setup either. Is performance similar with this HAProxy loop ?

            – JB.
            Aug 24 '15 at 9:25













            Sry, i don't know how performant it is because A: didn't use it for long (because of source ip filters), B: don't have a hight traffic site, where performance optimization would be more interesting...

            – mohrphium
            Aug 24 '15 at 16:33






            Sry, i don't know how performant it is because A: didn't use it for long (because of source ip filters), B: don't have a hight traffic site, where performance optimization would be more interesting...

            – mohrphium
            Aug 24 '15 at 16:33














            I just put apache2 in front of haproxy, which works but is sort of stupid because single-point-of-failure in front of hapeoxy cluster and (i think) performance bottleneck (i think hap is faster than ap2, got no real data on that though.)

            – mohrphium
            Aug 24 '15 at 16:41





            I just put apache2 in front of haproxy, which works but is sort of stupid because single-point-of-failure in front of hapeoxy cluster and (i think) performance bottleneck (i think hap is faster than ap2, got no real data on that though.)

            – mohrphium
            Aug 24 '15 at 16:41













            1














            recent versions of haproxy support a setting called crt-list which allows you to specify different TLS settings based on the matched certificate



            you can use it like this:



            haproxy.conf:



            frontend https
             mode http
             bind *:443 ssl crt-list /etc/haproxy/crt-list.conf ca-file ca.pem

             use_backend test if ssl_fc_sni -i test.area.example.org 
             use_backend private if ssl_fc_sni -i private.example.org 
             default_backend www


            crt-list.conf:



            www.pem [verify none]
            www.pem [verify required] *.area.example.org
            private.pem [verify required]


            more info: https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-crt-list



            note on security: always match your (sensitive) hostnames against SNI ssl_fc_sni, not the HTTP hostname. Otherwise an attacker could possibly bypass your client cert auth by sending the TLS SNI of www.example.org but set the HTTP hostname to private.example.org!






            share|improve this answer



























              1














              recent versions of haproxy support a setting called crt-list which allows you to specify different TLS settings based on the matched certificate



              you can use it like this:



              haproxy.conf:



              frontend https
               mode http
               bind *:443 ssl crt-list /etc/haproxy/crt-list.conf ca-file ca.pem

               use_backend test if ssl_fc_sni -i test.area.example.org 
               use_backend private if ssl_fc_sni -i private.example.org 
               default_backend www


              crt-list.conf:



              www.pem [verify none]
              www.pem [verify required] *.area.example.org
              private.pem [verify required]


              more info: https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-crt-list



              note on security: always match your (sensitive) hostnames against SNI ssl_fc_sni, not the HTTP hostname. Otherwise an attacker could possibly bypass your client cert auth by sending the TLS SNI of www.example.org but set the HTTP hostname to private.example.org!






              share|improve this answer

























                1












                1








                1







                recent versions of haproxy support a setting called crt-list which allows you to specify different TLS settings based on the matched certificate



                you can use it like this:



                haproxy.conf:



                frontend https
                 mode http
                 bind *:443 ssl crt-list /etc/haproxy/crt-list.conf ca-file ca.pem

                 use_backend test if ssl_fc_sni -i test.area.example.org 
                 use_backend private if ssl_fc_sni -i private.example.org 
                 default_backend www


                crt-list.conf:



                www.pem [verify none]
                www.pem [verify required] *.area.example.org
                private.pem [verify required]


                more info: https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-crt-list



                note on security: always match your (sensitive) hostnames against SNI ssl_fc_sni, not the HTTP hostname. Otherwise an attacker could possibly bypass your client cert auth by sending the TLS SNI of www.example.org but set the HTTP hostname to private.example.org!






                share|improve this answer













                recent versions of haproxy support a setting called crt-list which allows you to specify different TLS settings based on the matched certificate



                you can use it like this:



                haproxy.conf:



                frontend https
                 mode http
                 bind *:443 ssl crt-list /etc/haproxy/crt-list.conf ca-file ca.pem

                 use_backend test if ssl_fc_sni -i test.area.example.org 
                 use_backend private if ssl_fc_sni -i private.example.org 
                 default_backend www


                crt-list.conf:



                www.pem [verify none]
                www.pem [verify required] *.area.example.org
                private.pem [verify required]


                more info: https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-crt-list



                note on security: always match your (sensitive) hostnames against SNI ssl_fc_sni, not the HTTP hostname. Otherwise an attacker could possibly bypass your client cert auth by sending the TLS SNI of www.example.org but set the HTTP hostname to private.example.org!







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered May 4 at 12:59









                freakerfreaker

                1113




                1113



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Server Fault!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f662662%2fhaproxy-with-sni-and-different-ssl-settings%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

                    Image
                    centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
                    Read more

                    Bruxelas-Capital Índice Historia | Composición | Situación lingüística | Clima | Cidades irmandadas | Notas | Véxase tamén | Menú de navegacióneO uso das linguas en Bruxelas e a situación do neerlandés"Rexión de Bruxelas Capital"o orixinalSitio da rexiónPáxina de Bruselas no sitio da Oficina de Promoción Turística de Valonia e BruxelasMapa Interactivo da Rexión de Bruxelas-CapitaleeWorldCat332144929079854441105155190212ID28008674080552-90000 0001 0666 3698n94104302ID540940339365017018237

                    Image
                    AnderlechtCidade de BruxelasIxellesEtterbeekEvereGanshorenJetteKoekelbergAuderghemSchaerbeekBerchem-Sainte-AgatheSaint-GillesMolenbeek-Saint-JeanSaint-Josse-ten-NoodeWoluwe-Saint-LambertWoluwe-Saint-PierreUccleForestWatermaal-Bosvoorde Comunidade Francesa de Bélxica Comunidade Flamenga de Bélxica Comunidade Xermanófona de Bélxica Bruxelas-CapitalRexións de Bélxica francésneerlandésRexiónsBélxicacomunidade francesacomunidade flamengafrancófonaflamengaUnión EuropeaMagrebMarrocosTurquíaAméricaÁfricaRepública Democrática do CongoEuropa central18 de xuño1989FlandresRexión Valoaflamengaséculo XIXClasificación climática de Köppen Bruxelas-Capital Na Galipedia, a Wikipedia en galego. Saltar ata a navegación Saltar á procura Para outras páxinas con títulos homónimos véxase: Bruxelas . Région de Bruxelles-Capitale Brussels Hoofdstedelijk Gewest Bandeira Estado Bélxica Capital Cidade de Bruxelas  • Poboación n/d Lingua oficial As dúas Superficie  • Total 1
                    Read more

                    What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

                    Image
                    When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
                    Read more