HAProxy reverse proxy SNI wildcard

O

3

5

I need some help with my HAProxy config. I am currently using HAProxy 1.5 to access geoblocked websites by reverse proxying them through altered DNS entries. (https://github.com/trick77/tunlr-style-dns-unblocking).

Now I stumbled upon a problem as I have to proxy many subdomains of one server (lets say abc.xyz.com, def.xyz.com, ...). Is it possible to create a wildcard for my config by using something like *.xyz.com and that actually works with SNI and all subdomains of this domain?

Thank you very much in advance!

global
  daemon
  maxconn 200
  user haproxy
  group haproxy
  stats socket /var/run/haproxy.sock mode 0600 level admin
  log /dev/log  local0 debug
  pidfile /var/run/haproxy.pid
  spread-checks 5

defaults
  maxconn 195
  log global
  mode http
  option httplog
  option abortonclose
  option http-server-close
  option persist
  option accept-invalid-http-response

  timeout connect 20s
  timeout server 120s
  timeout client 120s
  timeout check 10s
  retries 3

# catchall ------------------------------------------------------------------------

frontend f_catchall
  mode http
  bind *:80
  log global
  option httplog
  option accept-invalid-http-request

  capture request  header Host len 50
  capture request  header User-Agent len 150

  #--- xyz.com
  use_backend b_catchall     if { hdr(host) -i abc.xyz.com }


  default_backend b_deadend

backend b_catchall
  log global
  mode http
  option httplog
  option http-server-close

  #--- xyz.com
  use-server abc.xyz.com                    if { hdr(host) -i abc.xyz.com }
  server abc.xyz.com abc.xyz.com:80 check inter 10s fastinter 2s downinter 2s fall 1800

frontend f_catchall_sni
  bind *:443
  mode tcp
  log global
  option tcplog
  no option http-server-close

  tcp-request inspect-delay 5s
  tcp-request content accept               if { req_ssl_hello_type 1 }

  #--- abc
  use_backend b_catchall_sni               if { req_ssl_sni -i abc.xyz.com }

  default_backend b_deadend_sni

backend b_catchall_sni
  log global
  option tcplog
  mode tcp
  no option http-server-close
  no option accept-invalid-http-response

  #---xyz.com
  use-server abc.xyz.com                    if { req_ssl_sni -i abc.xyz.com }
  server abc.xyz.com abc.xyz.com:443 check inter 10s fastinter 2s downinter 2s fall 1800

# deadend ------------------------------------------------------------------------

backend b_deadend
  mode http
  log global
  option httplog

backend b_deadend_sni
  mode tcp
  log global
  option tcplog
  no option accept-invalid-http-response
  no option http-server-close

Oocyte answered 19/7, 2014 at 10:25 Comment(0)

G

10

I finally found a solution. It wasn't in the documentation though.

Use -m end instead of -i for wildcard

if { req.ssl_sni -m end .abc.xyz.com }

Georginageorgine answered 8/12, 2015 at 15:6 Comment(0)

M

0

You can using ssl_fc_sni. Something like this works:

use_backend api if { ssl_fc_sni api.example.com }
use_backend web if { ssl_fc_sni app.example.com }

Mortise answered 6/11, 2014 at 1:51 Comment(0)

D

0

If someone struggling why it's not working, I was missing this on the frontend:

tcp-request inspect-delay 3s

Dispread answered 28/6, 2022 at 17:3 Comment(0)

Recommended topics

Hot tags