pages-server/haproxy-sni
Moritz Marquardt 76e5d8e77c
Add TODOs
2021-12-05 14:48:37 +01:00
..
gitea-www Add proof of concept for SNI-based routing through HAProxy 2021-06-06 12:29:53 +02:00
haproxy-certificates Add proof of concept for SNI-based routing through HAProxy 2021-06-06 12:29:53 +02:00
pages-www Add proof of concept for SNI-based routing through HAProxy 2021-06-06 12:29:53 +02:00
.gitignore Add proof of concept for SNI-based routing through HAProxy 2021-06-06 12:29:53 +02:00
dhparam.pem Add proof of concept for SNI-based routing through HAProxy 2021-06-06 12:29:53 +02:00
docker-compose.yml Add proof of concept for SNI-based routing through HAProxy 2021-06-06 12:29:53 +02:00
gitea.Caddyfile Add proof of concept for SNI-based routing through HAProxy 2021-06-06 12:29:53 +02:00
haproxy.cfg Add TODOs 2021-12-05 14:48:37 +01:00
pages.Caddyfile Add proof of concept for SNI-based routing through HAProxy 2021-06-06 12:29:53 +02:00
README.md Add screenshot of the SNI test script 2021-06-06 12:42:46 +02:00
test.sh Add proof of concept for SNI-based routing through HAProxy 2021-06-06 12:29:53 +02:00

HAProxy with SNI & Host-based rules

This is a proof of concept, enabling HAProxy to use either SNI to redirect to backends with their own HTTPS certificates (which are then fully exposed to the client; HAProxy only proxies on a TCP level in that case), as well as to terminate HTTPS and use the Host header to redirect to backends that use HTTP (or a new HTTPS connection).

How it works

  1. The http_redirect_frontend is only there to listen on port 80 and redirect every request to HTTPS.
  2. The https_sni_frontend listens on port 443 and chooses a backend based on the SNI hostname of the TLS connection.
  3. The https_termination_backend passes all requests to a unix socket (using the plain TCP data).
  4. The https_termination_frontend listens on said unix socket, terminates the HTTPS connections and then chooses a backend based on the Host header.

In the example (see haproxy.cfg), the pages_backend is listening via HTTPS and is providing its own HTTPS certificates, while the gitea_backend only provides HTTP.

How to test

docker-compose up &
./test.sh
docker-compose down

# For manual testing: all HTTPS URLs connect to localhost:443 & certificates are not verified.
./test.sh [curl-options...] <url>

Screenshot of the test script's output