Proxy TCP traffic based on DNS name and terminate SSL elsewhere
The motivation behind this topic was to use my official LetsEncrypt certificate also in other services whereas the traffic must be proxied to. To solve this problem, I used haproxy and SNI based routing.
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode tcp
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend apache2-ssl
bind 127.0.0.1:8443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend rancher if { req_ssl_sni -i rancher.heinzl.dev }
default_backend default_ssl_site
backend rancher
mode tcp
server server 127.0.0.1:6443
backend default_ssl_site
mode tcp
server server 127.0.0.1:443
Sources:
[SOLVED] One IP, fistful of domains, pack of subdomains and HAProxy in front of it
Good day, friends. Almost all in the title. How to configure my little zoo of, say, containers to work correctly behind one proxy? I have a separate certificate for every subdomain of every domain; I do not plan to use plain HTTP, only HTTPS; I do not plan to terminate SSL on the proxy, so I need …
![](https://aws1.discourse-cdn.com/business6/uploads/haproxy/original/2X/0/05388fe18aa1322605dbfad1030e0745ef99c502.png)
https://gist.github.com/daemonza/198480
https://www.haproxy.com/de/blog/web-application-name-to-backend-mapping-in-haproxy/6