{"id":27586,"date":"2017-05-14T11:29:20","date_gmt":"2017-05-14T09:29:20","guid":{"rendered":"https:\/\/mamchenkov.net\/wordpress\/?p=27586"},"modified":"2017-05-14T11:29:20","modified_gmt":"2017-05-14T09:29:20","slug":"haproxy-sni","status":"publish","type":"post","link":"https:\/\/mamchenkov.net\/wordpress\/2017\/05\/14\/haproxy-sni\/","title":{"rendered":"HAProxy SNI"},"content":{"rendered":"\n

HAProxy SNI<\/a>” is pure gold! If you want to have a load balancer for HTTPS traffic, without managing SSL certificates on the said load balancer, there is a way to do so.<\/p>\n

The approach is utilizing the Server Name Indication<\/a> (SNI) extension to the TLS protocol. \u00a0I knew about it and I was already using it on the web server side, but it didn’t occur to me that it’ll be utilized on the load balancer. \u00a0Here’s the configuration bit:<\/p>\n

\r\nfrontend https *:443\r\n  description Incoming traffic to port 443\r\n  mode tcp\r\n  tcp-request inspect-delay 5s\r\n  tcp-request content accept if { req_ssl_hello_type 1 }\r\n  use_backend backend-ssl-foobar if { req_ssl_sni -i foobar.com }\r\n  use_backend backend-ssl-example if { req_ssl_sni -i example.com }\r\n  default_backend backend-ssl-default\r\n<\/pre>\n
The above will make HAProxy listen on port 443, and then send all traffic for foobar.com to one backend, all traffic for example.com to another backend, and the rest to the third, default backend.<\/p>\n\n","protected":false},"excerpt":{"rendered":"\n
“HAProxy SNI” is pure gold! If you want to have a load balancer for HTTPS traffic, without managing SSL certificates on the said load balancer, there is a way to do so. The approach is utilizing the Server Name Indication (SNI) extension to the TLS protocol. \u00a0I knew about it and I was already using … Continue reading HAProxy SNI<\/span><\/a><\/p>\n\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"HAProxy SNI #SysAdmin #hosting #HAProxy #SSL #security #performance","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false,"_links_to":"","_links_to_target":""},"categories":[1,6,133,62,1334],"tags":[3400,3225,1057,200,3413,2289],"keyring_services":[],"class_list":["post-27586","post","type-post","status-publish","format-standard","hentry","category-general","category-linux","category-sysadmin","category-technology","category-web-work","tag-haproxy","tag-http","tag-performance","tag-security","tag-ssl","tag-web-hosting"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t