Hi,
Apache (2.4.65) recently changed its behaviour to prevent accessing a virtualhost that doesn’t align with the Host header when not presenting SNI in the request.
It broke some HAProxy setups (at least) when using server <name>:<port> ssl verify none.
It’s easily fixable by adding sni req.hdr(host) to the server definition.
But it pushed me to read the documentation and not everything is clear to me.
My main question is : does HAProxy add SNI to the backend server by itself (without an explicit sni option) in any situation?
My limited experience with SSL between HAProxy and the server (since I mostly use HAProxy on trusted LAN without SSL) lead me to believe that it should do this automatically, but after a few tests it seems that it doesn’t.
Afterwards I figured that it doesn’t add x-forwarded-for either (even if I would have thought that it should do) so the rationale might be the same. If anyone knows, I’m all ears.
Thanks for any help on this.
2 posts - 2 participants