Using HAproxy to terminate SNI and port forwarding

0

I have different servers in a couple of western countries as personal VPNs for myself and family and friends. Because of staggering internet censorship in Iran, using a domestic VPS as the relay is almost inevitable to bypass GFW. So, to deceive DPI, I use a decoy website with some arbitrary activity to minimize the risk of exposing the true nature of domestic VPS. All in all, it works to a great degree but the problem is, that I can only use it for one external VPS by addressing it in “default_backend” of haproxy. That is, if the SNI doesn’t match with the websites of the server it goes to default, and from there, it relays to the foreign server. Now, I want to implement a system, in which the subdomain of an fqdn can pinpoint the exact server we want to connect to; i.e. US.mydomain.tld connects to US vps and GER.mydomain.tld connects to the server in Germany. This is my config file of haproxy but it doesn’t work.

frontend HTTPS
    bind    myIP:443
    mode    tcp
    option  tcplog
    option  forwardfor

    tcp-request     inspect-delay 5s
    tcp-request     content accept if       { req_ssl_hello_type 1 }

    use_backend nginx       if { ssl_fc_sni -i myDomain.tld }
    use_backend nginx       if { ssl_fc_sni -i www.myDomain.tld }
    use_backend GERrelay    if { ssl_fc_sni -i ger.myDomain.tld }
    use_backend USrelay     if { ssl_fc_sni -i us.myDomain.tld }

    default_backend nginx

frontend GERterminatedSSL
    mode    http
    bind    myIP:445      ssl     crt     /etc/haproxy/certs/fullchain.pem
    default_backend GERbackend

backend GERbackend
    mode    http
    server  6tunnel 127.0.0.1:4445

frontend USterminatedSSL
    mode    http
    bind    myIP:446      ssl     crt     /etc/haproxy/certs/fullchain.pem
    default_backend USbackend

backend USbackend
    mode    http
    server  6tunnel 127.0.0.1:4446
    
backend nginx
    mode    tcp
    option  ssl-hello-chk
    option  forwardfor
    server  nginx   127.0.0.1:443   send-proxy-v2   check

backend GERrelay
    mode    tcp
    server  local   127.0.0.1:445
    
backend USrelay
    mode    tcp
    server  local   127.0.0.1:446

Whatever approach I choose doesn’t work or better said, I can’t make it work. Can someone show the correct way of rectifying this method?

P.S. I originally posted this in stack overflow but there was no answer up until posting this

1 post - 1 participant

Read full topic