HAProxy SNI Based

Question

I have this scenario

some connections income to my HAProxy server on HTTPS and port 443 & 440

Connections sni are : subbbx.example1.com and subyyyyy.example2.com (for example)

What I need :

When incoming connection have example1.com and any subdomain the connection forward to IP1 When incoming connection have example2.com and any subdomain the connection forward to IP2 Else on any other sni connection forward to IP3

May provide me config ?

Note : HAProxy server does not have sll cert. but ip1 server and ip2 server and ip3 server have cert related to sni

Thanks

Because I am zero at HAProxy I dont know how to do that

Answer 1

Untested, but this snippet seems to do what you want:

# Haproxy configuration for SSL request passthrough to different backend based on SNI read from Handshaking stage
# The Loadbalance will not decode the encrpted data but transparently transfer to the backend server in Private subnet.
# With such configuration, you can install multiply services with its own SSL certificate in backend in different EC2 instance, but only explosure to public internet with one Loadbalance IP. There is no need to install SSL certificate in Loadbalancer level.

# Ref:
#   How to support wildcard sni: https://stackoverflow.com/questions/24839318/haproxy-reverse-proxy-sni-wildcard
#   https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
#   https://stuff-things.net/2016/11/30/haproxy-sni/


#---------------------------------------------------------------------
# Proxys to the webserver backend port 443
#---------------------------------------------------------------------
frontend main_ssl
    bind :443
    mode tcp
    option tcplog

    # Wait for a client hello for at most 5 seconds
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    use_backend aaa_ssl if { req_ssl_sni -m end .aaa.domain.com }
    use_backend bbb_ssl if { req_ssl_sni -m end .bbb.domain.com }

    default_backend static

backend aaa_ssl
    mode tcp
    balance roundrobin
    server aaa_ssl_server x.x.x.x:443 check

backend bbb_ssl
    mode tcp
    balance roundrobin
    server bbb_ssl_server x.x.x.x:443 check

Change the backend IP addresses, and change .aaa.domain.com and .bbb.domain.com to .example1.com and .example2.com for your case. Since it uses req_ssl_sni -m end, it should match any subdomain, like you want.

HAProxy server does not have sll cert.

Note that this won't work for connections using Encrypted SNI, since the SNI won't be visible by HAProxy in passthrough mode.