So recently I built new Haproxy servers to replace ones on EOL versions of Ubuntu. I copied over the original config file and modifies it to handle SNI one one frontend. I’m very confident that these servers are operating in an SSL pass-through mode, but there are questions about the config mentioning the ssl cert files in both the front and backends.
Sanitized config here: dpaste/JVPm (Plain Text)
So by specifying the two .pem files in the frontend binding, means that upon matching SNI, whichever relevant SSL cert will be sent in a response right?
And having the .pem’s in the service directives on the backends means that Haproxy can establish an encrypted session with that server, right? But if this is the case, then how can that work when the service line contains the short DNS name and the IP when/if neither of those are in the certificate?
Or maybe that is not how it works, I don;’ have a firm understanding of what SSL-Passthrough looks like in this case.
And then to confound the issue, ‘verify none’ on the backend… I don’t understand how client certificates come into play here.
For a co-worker who looks at this, he says it appears to him that the Haproxy server is terminating the initial TLS session and forming another to the backend, I don’t feel thats how it works but I cannot explain otherwise. I really hope someone can help me with this.
Thank you!
EDIT: Might be worthwhile to note, this/these servers are in the DMZ and the firewall is only allowing external access in to TCP/636 and TCP/443.
1 post - 1 participant