@jdyke wrote:
I use haproxy(1.8.4) to terminate ssl and then send clients to backend servers based on alpn negotiation. I’ve recently added solr to the mix, and would rather have it sit behind SSL, but pretty sure i can not use
hdr_begin https, b/c i’m effectively in tcp mode. I can easily configure it like lets-encrypt in http mode. Mostly i’m just curious if there is a way to make this work.Thanks!
relevant portions of the configfrontend http mode http bind 0.0.0.0:80 #if this is a LE Request send it to a server on this host for renewals acl letsencrypt-request path_beg -i /.well-known/acme-challenge/ redirect scheme https code 301 unless letsencrypt-request⋅ use_backend letsencrypt-backend if letsencrypt-request frontend https #mode tcp bind 0.0.0.0:443 ssl crt /etc/haproxy/certs alpn h2,http/1.1 ecdhe secp384r1 timeout http-request 10s log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts \ %ac/%fc/%bc/%sc/%rc %sq/%bq SSL_version:%sslv SSL_cypher:%sslc SNI:%[ssl_fc_has_sni]" acl solr-request hdr_beg(host) -i solr. use_backend solr-backend if solr-request #send all HTTP/2 traffic to a specific backend use_backend http2-nodes if { ssl_fc_alpn -i h2 } !solr-request #send HTTP/1.1 and HTTP/1.0 to default, which don't speak HTTP/2 default_backend http1-nodes backend solr-backend mode http server solr01 10.X.X.16:8983 acl network_allowed src NN.NN.NN.NN http-request deny if !network_allowedUltimately this always gets sent to the H2 block
Posts: 1
Participants: 1
