Hi I'm trying to implement use TCP passthrough based on SNI. It works for SSL but it's not working for 80.
configuration is below:
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
timeout client 30s
timeout server 30s
timeout connect 5s
frontend https
bind *:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl mytonicssl req_ssl_sni -i staging.mytonic.com
use_backend mytonic-ssl if mytonicssl
backend mytonic-ssl
mode tcp
balance roundrobin
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
server server1 10.10.17.222:8443 check
frontend http
bind *:80
mode tcp
acl mytonic_http hdr_dom(host) -i staging.mytonic.com
use_backend mytonic_nonssl if mytonic_http
backend mytonic_nonssl
mode tcp
balance roundrobin
server server1 10.10.17.222:8080 check
If i added default backend then it works. But this is not the virtual host solution. My haproxy version is: HA-Proxy version 1.5.18 2016/05/10 any help is appreciated.
SNI is a TLS extension which contains the target hostname. Since it is a TLS extension it can only be used with SSL/TLS traffic. The matching mechanism with plain HTTP (i.e. no SSL/TLS) is the HTTP Host header. But to balance based on this header you need to use mode http (the default) and not mode tcp. See also How to divert traffic based on hostname using HAProxy?