Hello folks,
From a single tcp port I need to implement the following rules:
- For a number of hostnames, pass them through to the backend start the TLS
handshake and do the ssl offload. Should handle any protocol under TLS, not
only HTTP
- For another number of hostnames, locally do the ssl offload, inspect http
headers, etc
- Any other hostname should FIN the connection
This is a simplified snippet of my attempt so far:
listen tcp
log global
mode tcp
option tcplog
bind :443
tcp-request inspect-delay 5s
tcp-request content set-var(req.back) req.ssl_sni,lower,map_str(sslpass.map)
tcp-request content accept if { req.ssl_hello_type 1 } { var(req.back) -m
found }
tcp-request content reject if { req.ssl_hello_type 1 } !{ req.ssl_sni -i -m
str -f http.list }
use_backend %[var(req.back)] ## <<== tcp backends, their servers do the TLS
handshake and SSL offload
server s1 unix@/tmp/tls.sock send-proxy-v2 ## <<== local ssl offload
This configuration works, but I started to wonder if I know what I am doing
when giving another look at the tcp-request content 3.3 doc:
During this stage, ACL-based rules are evaluated every time
the request contents are updated, until either an "accept", a
"reject" or a "switch-mode" rule matches, or the TCP request
inspection delay expires with no matching rule.
and
If no rule matches or if there is no rule, the default action
is to accept the contents.
I can confirm that if I don’t have any accept/reject action, req.ssl_sni
renders to empty and var(req.back) is not populated, finishing the request
without waiting the 5s timeout.
Otoh when both are there like in my snippet, I end up having both of them not
matching in the following conditions:
- In the very beginning, before even having SNI in the payload;
- When SNI is in the payload and it matches http.list
What makes it continue evaluating in the first one, and finish the evaluation
before the inspect-delay timeout in the second one? Last but not least: my
config makes sense or it is working by chance? =)
