Setup HAProxy – SSL Passthrough

SSL Passthrough có thể hiểu đơn giản là Proxy sẽ đơn giản là forward tiếp request đến target mà không tiến hành bất kì việc encrypt / decrypt nào hết.

The job of the load balancer then is simply to proxy a request off to its configured backend servers. Because the connection remains encrypted, HAProxy can’t do anything with it other than redirect a request to another server.

Tham khảo qua 1 chút config dưới đây

frontend https_in
        mode tcp
        option tcplog
        bind *:443

        acl tls req.ssl_hello_type 1
        tcp-request inspect-delay 5s
        tcp-request content accept if tls

        acl develop_coffeeschool req.ssl_sni -i develop.coffeeschool.vn
        use_backend develop_coffeeschool_https if develop_coffeeschool

https://www.haproxy.com/blog/the-four-essential-sections-of-an-haproxy-configuration/

mode
The mode setting defines whether HAProxy operates as a simple TCP proxy or if it’s able to inspect incoming traffic’s higher-level HTTP messages. The alternative to specifying mode http is to use mode tcp, which operates at the faster, but less-aware, level. If most of your frontend and backend sections would use the same mode, it makes sense to specify it in the defaults section to avoid repetition.

option
The option httplog setting, or more rarely option tcplog, tells HAProxy to use a more verbose log format when sending messages to Syslog. You will generally prefer option httplog over option tcplog in your defaults section because when HAProxy encounters a frontend that uses mode tcp, it will emit a warning and downgrade it to option tcplog anyway.

If neither is specified, then the connect log format is used, which has very few details other than the client and backend IP addresses and ports. Another option is to define a custom log format with the log-format setting, in which case option httplog and option tcplog aren’t necessary.

bind
A bind setting assigns a listener to a given IP address and port. The IP can be omitted to bind to all IP addresses on the server and a port can be a single port, a range, or a comma-delimited list. You’ll often use the ssl and crt arguments to instruct HAProxy to manage SSL/TLS terminations, rather than having your web servers doing that.

ACLs

https://www.haproxy.com/documentation/hapee/latest/configuration/acls/syntax/

req.ssl_hello_type : integer

req_ssl_hello_type : integer (deprecated)

Returns an integer value containing the type of the SSL hello message found in the request buffer if the buffer contains data that parse as a complete SSL (v3 or superior) client hello message. Note that this only applies to raw contents found in the request buffer and not to contents deciphered via an SSL data layer, so this will not work with “bind” lines having the “ssl” option. This is mostly used in ACL to detect presence of an SSL hello message that is supposed to contain an SSL session ID usable for stickiness.

tcp-request inspect-delay <timeout>

Set the maximum allowed time to wait for data during content inspection

tcp-request content <action> [{if | unless} <condition>]

Perform an action on a new session depending on a layer 4-7 condition

Pages: 1 2

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Up ↑

%d bloggers like this: