Hello,
On Fri, 17 May 2019 at 21:10, Aleksandar Lazic <[email protected]> wrote: > > Ok, that's correct, except for the use of ssl_fc_has_sni, which I'd > > advise to not use. > > Instead, when you terminate SSL, just use the Host header for any HTTP > > routing decisions. ssl_fc_sni is almost always misused, you can see > > that the current ML thread "Host header and sni extension differ" > > (which also has links to older discussions). > > > > When you can, please *DO* use the host header. > > > > Make sure you certificates don't overlap, at least between those that > > passthrough via TCP and those that you terminate at haproxy. > > Thanks fo the feedback. > What's a good replacement for ssl_fc_has_sni ? Sorry, I just meant ssl_fc_sni not ssl_fc_has_sni. > use_backend %[ssl_fc_sni,lower,map(tcp-domain2backend-map.txt)] > > or should I use this one? > > use_backend %[req.ssl_sni,lower,map(tcp-domain2backend-map.txt)] > > in public_ssl. Here you need to use req.ssl_sni as you don't terminate SSL in that frontend, and need to look at SNI to be able to route it appropriately. That's the use-case for SNI and is fine (unless you have overlapping certificates). > I have replaced this line > > use_backend %[ssl_fc_sni,lower,map(http-domain2backend-map.txt)] > > with > > use_backend %[req.hdr(host),lower,map(http-domain2backend-map.txt)] > > in https-in. Good, this way you won't hit unexpected behavior as mentioned in the other threads. > I have created in the meantime is blog post with a picture. > > https://www.me2digital.com/blog/2019/05/haproxy-sni-routing/ > > The config there is not adopted to your feedback, which i will update asap. > Please give me some feedback if the text and the picture is understandable as > I'm not a native speaker ;-) I don't see anything wrong with it. Lukas
