@ask wrote:
Hi,
I am trying to have one listener both do “TLS passthrough” with SNI (when requesting https://other.example.org/ and terminate TLS for everything else.
The TLS passthrough for other.example.org is working.
Also, when I connect with curl to the unix socket on /var/run/haproxy.sock I get the expected certificate from /etc/haproxy/certs/acme.
However, when I connect to port 443 with another SNI servername I get a TLS handshake error (openssl s_client says
140735681221512:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:.Ask
global log /var/run/log local0 debug uid 65534 gid 65534 stats socket /var/run/haproxy.stat mode 600 level admin maxconn 400 ulimit-n 81000 daemon ssl-default-bind-options no-sslv3 no-tls-tickets ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA tune.ssl.default-dh-param 1024 defaults log global option tcplog option http-server-close #option httpclose option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 20s timeout check 10s maxconn 5000 frontend admin bind *:5000 mode http option httplog default_backend stats_auth monitor-uri /ping backend stats_auth mode http stats enable stats auth admin:verysecret stats admin if TRUE stats uri /admin?stats stats refresh 30s frontend tls bind *:443 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } use_backend other-tls if { req_ssl_sni -i other.example.org } default_backend https-back backend https-back mode tcp server https-front unix@/var/run/haproxy.sock send-proxy-v2 frontend https-front bind unix@/var/run/haproxy.sock ssl crt /etc/haproxy/certs/acme/ accept-proxy mode http #option httplog option forwardfor reqdel X-Forwarded-Proto reqadd X-Forwarded-Proto:\ https if { ssl_fc } default_backend local frontend http bind *:80 mode http option httplog option forwardfor reqdel X-Forwarded-Proto reqadd X-Forwarded-Proto:\ https if { ssl_fc } acl letsencrypt-request path_beg -i /.well-known/acme-challenge/ redirect scheme https if !{ ssl_fc } !letsencrypt-request use_backend other if { hdr(host) -i other.example.org } use_backend acmetool if letsencrypt-request default_backend local backend local mode http server local 127.0.0.1:8000 backend other mode http server other 10.0.0.51:80 backend other-tls mode tcp server other 10.0.0.51:443 backend acmetool mode http server acmetool 127.0.0.1:402
Posts: 1
Participants: 1