Sign in Subscribe

Proxy TCP traffic based on DNS name and terminate SSL elsewhere

Johannes Heinzl

1 min read

The motivation behind this topic was to use my official LetsEncrypt certificate also in other services whereas the traffic must be proxied to. To solve this problem, I used haproxy and SNI based routing.

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

defaults
	log	global
	mode	tcp
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend apache2-ssl
	bind 127.0.0.1:8443
	mode tcp
	tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    use_backend rancher if { req_ssl_sni -i rancher.heinzl.dev }
    default_backend default_ssl_site

backend rancher
     mode tcp
     server server 127.0.0.1:6443

backend default_ssl_site
	mode tcp
	server server 127.0.0.1:443

Sources:

[SOLVED] One IP, fistful of domains, pack of subdomains and HAProxy in front of it
Good day, friends. Almost all in the title. How to configure my little zoo of, say, containers to work correctly behind one proxy? I have a separate certificate for every subdomain of every domain; I do not plan to use plain HTTP, only HTTPS; I do not plan to terminate SSL on the proxy, so I need …
HAProxy communityscorry

https://gist.github.com/daemonza/198480

https://www.haproxy.com/de/blog/web-application-name-to-backend-mapping-in-haproxy/6

Sign up for more like this.

Enter your email
Subscribe