Skip to content

Instantly share code, notes, and snippets.

@bretton

bretton/haproxy-sni.md

Last active December 6, 2023 20:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bretton/da6036254e40f50084f0808ce1abaaeb to your computer and use it in GitHub Desktop.
Save bretton/da6036254e40f50084f0808ce1abaaeb to your computer and use it in GitHub Desktop.
Download ZIP
haproxy SNI configuration with SSL pass through
Raw
haproxy-sni.md

This comes from this forum post and adapted with info from this gist

A sample HAproxy configuration using SNI. Using SNI has the advantage that you don't have to mess with the certificates on the HAproxy server itself. Useful with many servers and / or many fast-expiring certificates (letsencrypt).

global
        maxconn         5000
        ulimit-n        16384
        log             127.0.0.1 local0
        uid             99
        gid             99
        nbproc          1
        daemon

defaults
  timeout client 30s
  timeout server 30s
  timeout connect 5s
  log global
  option tcplog

frontend frontend_ssl
  bind 1.2.3.4:443
  mode tcp

  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }

  use backend_one if { ssl_fc_sni -i app1.test.com }
  use backend_two if { ssl_fc_sni -i app2.test.com }

backend backend_one
  mode tcp
  server server1 10.0.0.1:443 check maxconn 20

backend backend_two
  mode tcp
  server server1 10.0.0.2:443 check maxconn 20

This is a very simple configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment