Скачать или смотреть How to Pass Custom SNI with HAProxy in TCP Mode

A detailed guide on configuring HAProxy to pass custom SNI settings for SSL/TLS connections, overcoming common pitfalls in TCP mode.
---
This video is based on the question https://stackoverflow.com/q/68212958/ asked by the user 'borubar' ( https://stackoverflow.com/u/16359305/ ) and on the answer https://stackoverflow.com/a/68214278/ provided by the user 'Steffen Ullrich' ( https://stackoverflow.com/u/3081018/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: How to pass the custom SNI with haproxy in TCP mode

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/l...
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license.

If anything seems off to you, please feel free to write me at vlogize [AT] gmail [DOT] com.
---
Understanding the Problem: Passing Custom SNI with HAProxy

When you're dealing with secure connections over SSL/TLS, the Server Name Indication (SNI) plays a crucial role. It helps servers determine which hostname the client is attempting to connect to during the initial handshake. But what do you do when you can't access your public SSL endpoint directly and need to pass it through HAProxy? This guide provides a comprehensive solution for setting up your HAProxy configuration to include custom SNI when interfacing with a TCP mode connection.

The Setup Challenge

In our example, you have an SSL endpoint at something.example.com that requires the SNI extension for successful connectivity. You’ve tried the following command to test the connection directly:

[[See Video to Reveal this Text or Code Snippet]]

While this command succeeds, when you attempt to connect through HAProxy using the configurations, you run into issues. Here’s what you’ve noticed:

Working Command: openssl s_client -connect something.example.com:443 -servername something.example.com — This includes the SNI parameter and works fine.

Unsuccessful Curl Command: curl -v https://127.0.0.1/ — This results in an error related to SSL connection issues.

Understanding the HAProxy Configuration

Let’s dissect the HAProxy configuration you provided and understand why it might not be functioning as expected.

[[See Video to Reveal this Text or Code Snippet]]

In this configuration:

The frontend is set to operate in TCP mode, which is designed to forward traffic without terminating SSL. However, this mode has limitations regarding handling SNI.

The Key Issue: TCP Mode Restrictions

As you already suspect, HAProxy in TCP mode cannot manipulate the SNI during the SSL handshake. The SNI is part of the initial handshake process that is transmitted as part of the ClientHello message, which is encrypted. As per the underlying protocols, it is crucial to terminate the SSL connection to modify these parameters.

Proposed Solution: Switch to HTTP Mode

To overcome the limitations encountered in TCP mode, the recommended approach is to configure HAProxy to terminate SSL and switch to HTTP mode. Here is how you can update your configuration:

Updated HAProxy Configuration:

[[See Video to Reveal this Text or Code Snippet]]

Breakdown of the Changes:

SSL Termination: bind *:443 ssl crt /etc/pki/tls/private/mycert.pem indicates that HAProxy will handle the SSL/TLS termination, allowing it to decrypt incoming connections and inspect the SNI.

Switching to HTTP Mode: The change to mode http enables HAProxy to manipulate the request further and forward it after it's decrypted, which is necessary for setting SNI in the backend.

Using SNI in Backend: The line sni str(something.example.com) explicitly sets the SNI as required by your upstream server.

Conclusion

By modifying your HAProxy configuration to handle SSL termination and switching from TCP to HTTP mode, you can successfully pass custom SNI settings to your backend server. This will not only resolve connection errors but also ensure your SSL connections are functioning as intended.

Key Takeaway

Remember that it is impossible to replace any part of the TLS handshake, including SNI, in TCP mode. Always use HTTP mode for advanced configurations involving SSL when SNI is a requirement.