The pfSense Store

Author Topic: HAProxy and using SNI on backends  (Read 584 times)

0 Members and 1 Guest are viewing this topic.

Offline Ronald.Carter

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
HAProxy and using SNI on backends
« on: September 06, 2016, 10:12:34 pm »
I am trying to setup PFSense and HAproxy as a reverse proxy.
I have this working with both http and https sites but only with http backends
All of my backends require SNI to access over SSL so I can't use https://10.140.240.84 I need the backend to be thingo.mydomain.com.au as 10.140.240.81 hosts 6 different IIS websites.
I can't figure out how to do that yet.

I have setup a internal DNS zone so my local clients all use external addresses internally.

The other one is how to do that for a internally load balanced AD Federation Servers

I have Server 110.140.240.113 and Server 2 10.140.240.114 using 10.140.240.115 as the load balanced addressed via fs.mydomain.com.au
with the check address of https://fs.mydomain.com.au/adfs/ls/IdpInitiatedSignon.aspx

Offline PiBa

  • Hero Member
  • *****
  • Posts: 789
  • Karma: +129/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: HAProxy and using SNI on backends
« Reply #1 on: September 07, 2016, 01:42:34 pm »
For healthchecks.. your out of luck.. They cant (yet) use SNI.. so need to allow requests without it, or check health on the http port..
As for the actual user requests you could try setting the server with a advanced sni option. http://cbonte.github.io/haproxy-dconv/1.7/snapshot/configuration.html#5.2-sni

Offline Spix

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: HAProxy and using SNI on backends
« Reply #2 on: November 15, 2017, 06:36:15 am »
Hello,

Anybody knows if the pfSense with Haproxy can do Health checks to WAP-servers, needs to be SNI compatible.

?

Offline PiBa

  • Hero Member
  • *****
  • Posts: 789
  • Karma: +129/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: HAProxy and using SNI on backends
« Reply #3 on: November 15, 2017, 01:37:56 pm »
Haproxy 1.8rc3 should be able to use "check-sni". http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-check-sni but aint released yet. Maybe i can change the haproxy-devel to use it..

Offline Spix

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: HAProxy and using SNI on backends
« Reply #4 on: November 17, 2017, 07:32:37 am »
Haproxy 1.8rc3 should be able to use "check-sni". http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-check-sni but aint released yet. Maybe i can change the haproxy-devel to use it..

Would be great, or even Amazing. Then it would be possible to Health check Microsoft WAP-servers without destroying itīs bindning ti 0.0.0.0:443

Offline Spix

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: HAProxy and using SNI on backends
« Reply #5 on: December 07, 2017, 01:36:11 pm »
Haproxy 1.8rc3 should be able to use "check-sni". http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-check-sni but aint released yet. Maybe i can change the haproxy-devel to use it..

Hello,When are you guys planing to make this available?  :)

Offline PiBa

  • Hero Member
  • *****
  • Posts: 789
  • Karma: +129/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: HAProxy and using SNI on backends
« Reply #6 on: December 07, 2017, 01:55:14 pm »
haproxy 1.8.0release is available in the haproxy-devel package.. but there is a issue in that version with mail-alerts.. and a few other quirks that are still being fixed in haproxy itself..