I am currently having two different frontends, both I want to offer on ssl 443. However each front end has different acls, http-response set-headers. I think the default[1] to redirect to backends is somethink like this.
frontend env_ssl_frontend
bind *:443
mode tcp
option tcplog
tcp-request inspect-delay 10s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend bk_app1 if { req.ssl_sni -m end app1.domain.com }
use_backend bk_app2 if { req.ssl_sni -m end app2.domain.com }
use_backend bk_app3 if { req.ssl_sni -m end app3.domain.com }
frontend http
bind *:443 ssl crt /etc/ssl/certs/mycert.pem
mode tcp
acl backend1 ssl_fc_sni backed1.domain.com
acl backend2 ssl_fc_sni backed2.domain.com
tcp-request inspect-delay 5s
use_backend backend1 if backend1
use_backend backend2 if backend2
But I think this would mean I cannot separate acl’s for different backends, or am I mistaken here? Or is there another way to configure this? I was thinking of doing maybe an port redirection, but that does not really look nice on the client side.
So basically I would like to have a frontend configuration that is similar to eg. webservers. Where you have a seperate config for a ‘domain’ identified by sni name and certificate.
7 posts - 2 participants