Hi, I am new here and to haproxy. I am hoping to get some pointers here to prevent me spending days or weeks on trial and error. I am happy to read documentation but there seems to be bit of a shortage on my specific issue. so some help to get me in the right direction would be appreciated.
I am configuring this, my first haproxy as a reverse proxy (no load balancing at this point) only. I have a test config so far that works to:
-
in http mode to terminate ssl and then direct the requests to the appropriate backend servers.
-
in tcp mode direct all traffic to my Remote Desktop Services Gateway server (windows server 2016) using ssl passthrough
The reason I am trying ssl passthrough on the RDS gateway is that I can’t find a way to make this gateway server not enforce TLS and as long as I can’t do that, I believe I can’t terminate the SSL at the HAproxy unless I then re-encypt it as it is being sent to the backend (I believe this is called “SSL bridging”).
Everything has to come in on port 80 or 443 to the frontend. That is the purpose of this reverse proxy to not have to give external users different port numbers to use to connect to different websites (we have just one external IP address). but from what I see so far, to do ssl passthough my frontend has to be in tcp mode but all my other sites have to be in http mode because they will be doing ssl termination. Now I can’t have both tcp mode and http mode on the same front end but I think I can split port 443 into 2 front ends by doing something along the lines of https://discourse.haproxy.org/t/two-workloads-on-the-same-port/1879. I haven’t tested that out yet but it looks quite do-able.
My concern is even if I do split the front end in 2 as described in the above link I don’t think I can sort out which traffic has to go to which front end unless I first terminate the ssl in order to inspect the headers so I know which URL they are trying to get to. I would need to send all traffic targetting rds.mydomain.com to go to the tcp mode front end and all other traffic to the http mode front end. So, my questions are:
-
is it even possible to determine what domain name is being requested withough terminating the ssl? If so how?
-
If above not possible, is SSL bridging the solution to decrypt, test what domaiin is requested and then re-encypt and direct to the appropriate backend?
2 posts - 1 participant