Hi.
Fri May 17 21:31:41 GMT+02:00 2019 Lukas Tribus : > Hello, > > > On Fri, 17 May 2019 at 21:10, Aleksandar Lazic wrote: > > > Ok, that's correct, except for the use of ssl_fc_has_sni, which I'd > > > advise to not use. > > > Instead, when you terminate SSL, just use the Host header for any HTTP > > > routing decisions. ssl_fc_sni is almost always misused, you can see > > > that the current ML thread "Host header and sni extension differ" > > > (which also has links to older discussions). > > > > > > When you can, please *DO* use the host header. > > > > > > Make sure you certificates don't overlap, at least between those that > > > passthrough via TCP and those that you terminate at haproxy. > > > > Thanks fo the feedback. > > What's a good replacement for ssl_fc_has_sni ? > > Sorry, I just meant ssl_fc_sni not ssl_fc_has_sni. Ah, okay. > > use_backend %[ssl_fc_sni,lower,map(tcp-domain2backend-map.txt)] > > > > or should I use this one? > > > > use_backend %[req.ssl_sni,lower,map(tcp-domain2backend-map.txt)] > > > > in public_ssl. > > Here you need to use req.ssl_sni as you don't terminate SSL in that > frontend, and need to look at SNI to be able to route it > appropriately. That's the use-case for SNI and is fine (unless you > have overlapping certificates). What's the problem with this? What should be used when I want to use SAN ( Subject Alternative Name) for routing? > > I have replaced this line > > > > use_backend %[ssl_fc_sni,lower,map(http-domain2backend-map.txt)] > > > > with > > > > use_backend %[req.hdr(host),lower,map(http-domain2backend-map.txt)] > > > > in https-in. > > Good, this way you won't hit unexpected behavior as mentioned in the > other threads. Ack. > > I have created in the meantime is blog post with a picture. > > > > https://www.me2digital.com/blog/2019/05/haproxy-sni-routing/ > > > > The config there is not adopted to your feedback, which i will update asap. > > Please give me some feedback if the text and the picture is understandable > > as > > I'm not a native speaker ;-) > > I don't see anything wrong with it. Thanks for checking. > Lukas Aleks
