PiBa-NL · September 27, 2019 05:31
diff --git a/HAProxy SNI fallback workaround example b/HAProxy SNI fallback workaround example
 global
 	maxconn			300
 	log			192.168.0.40	local0	debug
 	stats socket /tmp/haproxy.socket level admin
 	gid			80
 	nbproc			1
 	chroot			/var/empty
 	daemon
 	#
 	# Example configuration for HAProxy 1.5-dev19 for using SNI
 	# While still trying to support mobile/older browsers/applications that don't support SNI.
 	#
 	# 3 domain names/certificates used, with different methods of forwarding/certificate handling
 	#
 	# Im using transparent proxy "source 0.0.0.0 usesrc clientip", so the real client-ip is presented to the webserver.
 	# As for when transferring SSL in TCP mode its not possible to modify headers for adding X-Forwarded-For 
 	#
 	# ## sub1.pfsense.localdomain ##
 	# - for SNI capable browsers is this is forwarded 1on1 to the right backend
 	# - when no SNI is available(IE on XP), traffic is forwarded to a SSL-offloading frontend, this should be configured with a wildcard certificate
 	#
 	# ## sub2.pfsense.localdomain ##
 	# - the browser is redirected to a different port so the proper certificate can be presented by the backend.
 	# - a wildcard certificate should be used, because when no SNI is available its not possible to send the proper certificate.
 	# - after the redirect no SSLoffloading done
 	# - the site must 'support' requests on a different port then '443'.. as an alternative you could redirect to a different domainname/IP if available
 	#
 	# ## sub3.pfsense.localdomain ##
 	# - uses SSLoffloading
 	# - using SNI the proper certificate will be presented
 	# - the default (wildcard)certificate is send to older browsers.
 	# - headers like X-Forwarded-For can be inserted
 	#
 	#
 	# Provided to you by PiBa-NL.
 	# Not intended for production purposes.. So use at your own risk. :)
 	#

 defaults
 	timeout connect		30000
 	timeout server		30000
 	retries			3

 frontend stats
 	bind			192.168.0.2:446 ssl  crt /var/etc/stats.446.crt 
 	mode			http
 	log			global
 	option			dontlognull
 	maxconn			10
 	timeout client		30000
 	default_backend		stats_http

 frontend mainSSLfrontend-merged
 	bind			192.168.1.22:443  
 	mode			tcp
 	log			global
 	option			dontlognull
 	maxconn			300
 	timeout client		30000
 	acl			0_sub1acl	req_ssl_sni -i sub1.pfsense.localdomain
 	use_backend		ba_sub1_TCP_https if 0_sub1acl 
 	default_backend		noSNI_https
 	tcp-request inspect-delay 5s
 	tcp-request content accept if { req_ssl_hello_type 1 }

 frontend noSNIfrontend-merged
 	bind			127.0.0.1:10443 ssl  crt /var/etc/noSNIfrontend.10443.crt crt /var/etc/noSNIsub1.10443.crt crt /var/etc/noSNIsub2.10443.crt crt /var/etc/noSNIsub3.10443.crt accept-proxy
 	reqadd HAPROXY:\ NO_SNI_FALLBACK
 	reqadd SNI_available:\ YES if { ssl_fc_has_sni }
 	option forwardfor
 	redirect prefix https://sub2.pfsense.localdomain:2443 if { hdr(host) -i sub2.pfsense.localdomain }
 	mode			http
 	log			global
 	option			dontlognull
 	option			httpclose
 	maxconn			300
 	timeout client		30000
 	acl			0_SNI_ba_sub1_SSL_http	hdr(host) -i sub1.pfsense.localdomain
 	use_backend		ba_sub1_SSL_http if 0_SNI_ba_sub1_SSL_http 
 	acl			1_SNI_ba_sub2_SSL_http	hdr(host) -i sub2.pfsense.localdomain
 	use_backend		ba_sub2_SSL_http if 1_SNI_ba_sub2_SSL_http 
 	acl			2_SNI_ba_sub3_SSL_http	hdr(host) -i sub3.pfsense.localdomain
 	use_backend		ba_sub3_SSL_http if 2_SNI_ba_sub3_SSL_http 
 	default_backend		nosni_default_http

 frontend XPnoSub1
 	bind			192.168.1.22:1443  
 	mode			tcp
 	log			global
 	option			dontlognull
 	maxconn			300
 	timeout client		30000
 	default_backend		ba_sub1_TCP_https

 frontend XPnoSub2
 	bind			192.168.1.22:2443  
 	mode			tcp
 	log			global
 	option			dontlognull
 	maxconn			300
 	timeout client		30000
 	default_backend		ba_sub2_TCP_https

 backend stats_http
 	mode			http
 	stats			enable
 	stats			uri /
 	stats			realm haproxystats
 	stats			auth AdminUser:SecretPass
 	stats			refresh 5s
 	option			httpchk OPTIONS / 

 backend noSNI_https
 	mode			tcp
 	option			httpchk
 	server			noSNIsrv 127.0.0.1:10443 check-ssl    weight 1 send-proxy 

 backend nosni_default_http
 	mode			http
 	option			httpchk OPTIONS / 
 	server			localSRV 127.0.0.1:443 ssl  check inter 1000  weight 1 

 backend ba_sub1_TCP_https
 	mode			tcp
 	source 0.0.0.0 usesrc clientip
 	option			httpchk OPTIONS / 
 	server			srv40_srv_443 192.168.0.40:443  check inter 10000  weight 1 check-ssl

 backend ba_sub1_SSL_http
 	mode			http
 	source 0.0.0.0 usesrc clientip
 	option			httpchk OPTIONS / 
 	server			srv40_srv_443 192.168.0.40:443 ssl  check inter 10000  weight 1 

 backend ba_sub2_TCP_https
 	mode			tcp
 	source 0.0.0.0 usesrc clientip
 	option			httpchk OPTIONS / 
 	server			srv40_srv_444 192.168.0.40:444  check inter 10000  weight 1 check-ssl

 backend ba_sub2_SSL_http
 	mode			http
 	source 0.0.0.0 usesrc clientip
 	option			httpchk OPTIONS / 
 	server			srv40_srv_444 192.168.0.40:444 ssl  check inter 10000  weight 1 

 backend ba_sub3_SSL_http
 	mode			http
 	source 0.0.0.0 usesrc clientip
 	option			httpchk OPTIONS / 
 	server			srv40_srv_445 192.168.0.40:442 ssl  check inter 10000  weight 1
	global
	maxconn 300
	log 192.168.0.40 local0 debug
	stats socket /tmp/haproxy.socket level admin
	gid 80
	nbproc 1
	chroot /var/empty
	daemon
	#
	# Example configuration for HAProxy 1.5-dev19 for using SNI
	# While still trying to support mobile/older browsers/applications that don't support SNI.
	#
	# 3 domain names/certificates used, with different methods of forwarding/certificate handling
	#
	# Im using transparent proxy "source 0.0.0.0 usesrc clientip", so the real client-ip is presented to the webserver.
	# As for when transferring SSL in TCP mode its not possible to modify headers for adding X-Forwarded-For
	#
	# ## sub1.pfsense.localdomain ##
	# - for SNI capable browsers is this is forwarded 1on1 to the right backend
	# - when no SNI is available(IE on XP), traffic is forwarded to a SSL-offloading frontend, this should be configured with a wildcard certificate
	#
	# ## sub2.pfsense.localdomain ##
	# - the browser is redirected to a different port so the proper certificate can be presented by the backend.
	# - a wildcard certificate should be used, because when no SNI is available its not possible to send the proper certificate.
	# - after the redirect no SSLoffloading done
	# - the site must 'support' requests on a different port then '443'.. as an alternative you could redirect to a different domainname/IP if available
	#
	# ## sub3.pfsense.localdomain ##
	# - uses SSLoffloading
	# - using SNI the proper certificate will be presented
	# - the default (wildcard)certificate is send to older browsers.
	# - headers like X-Forwarded-For can be inserted
	#
	#
	# Provided to you by PiBa-NL.
	# Not intended for production purposes.. So use at your own risk. :)
	#

	defaults
	timeout connect 30000
	timeout server 30000
	retries 3

	frontend stats
	bind 192.168.0.2:446 ssl crt /var/etc/stats.446.crt
	mode http
	log global
	option dontlognull
	maxconn 10
	timeout client 30000
	default_backend stats_http

	frontend mainSSLfrontend-merged
	bind 192.168.1.22:443
	mode tcp
	log global
	option dontlognull
	maxconn 300
	timeout client 30000
	acl 0_sub1acl req_ssl_sni -i sub1.pfsense.localdomain
	use_backend ba_sub1_TCP_https if 0_sub1acl
	default_backend noSNI_https
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }

	frontend noSNIfrontend-merged
	bind 127.0.0.1:10443 ssl crt /var/etc/noSNIfrontend.10443.crt crt /var/etc/noSNIsub1.10443.crt crt /var/etc/noSNIsub2.10443.crt crt /var/etc/noSNIsub3.10443.crt accept-proxy
	reqadd HAPROXY:\ NO_SNI_FALLBACK
	reqadd SNI_available:\ YES if { ssl_fc_has_sni }
	option forwardfor
	redirect prefix https://sub2.pfsense.localdomain:2443 if { hdr(host) -i sub2.pfsense.localdomain }
	mode http
	log global
	option dontlognull
	option httpclose
	maxconn 300
	timeout client 30000
	acl 0_SNI_ba_sub1_SSL_http hdr(host) -i sub1.pfsense.localdomain
	use_backend ba_sub1_SSL_http if 0_SNI_ba_sub1_SSL_http
	acl 1_SNI_ba_sub2_SSL_http hdr(host) -i sub2.pfsense.localdomain
	use_backend ba_sub2_SSL_http if 1_SNI_ba_sub2_SSL_http
	acl 2_SNI_ba_sub3_SSL_http hdr(host) -i sub3.pfsense.localdomain
	use_backend ba_sub3_SSL_http if 2_SNI_ba_sub3_SSL_http
	default_backend nosni_default_http

	frontend XPnoSub1
	bind 192.168.1.22:1443
	mode tcp
	log global
	option dontlognull
	maxconn 300
	timeout client 30000
	default_backend ba_sub1_TCP_https

	frontend XPnoSub2
	bind 192.168.1.22:2443
	mode tcp
	log global
	option dontlognull
	maxconn 300
	timeout client 30000
	default_backend ba_sub2_TCP_https

	backend stats_http
	mode http
	stats enable
	stats uri /
	stats realm haproxystats
	stats auth AdminUser:SecretPass
	stats refresh 5s
	option httpchk OPTIONS /

	backend noSNI_https
	mode tcp
	option httpchk
	server noSNIsrv 127.0.0.1:10443 check-ssl weight 1 send-proxy

	backend nosni_default_http
	mode http
	option httpchk OPTIONS /
	server localSRV 127.0.0.1:443 ssl check inter 1000 weight 1

	backend ba_sub1_TCP_https
	mode tcp
	source 0.0.0.0 usesrc clientip
	option httpchk OPTIONS /
	server srv40_srv_443 192.168.0.40:443 check inter 10000 weight 1 check-ssl

	backend ba_sub1_SSL_http
	mode http
	source 0.0.0.0 usesrc clientip
	option httpchk OPTIONS /
	server srv40_srv_443 192.168.0.40:443 ssl check inter 10000 weight 1

	backend ba_sub2_TCP_https
	mode tcp
	source 0.0.0.0 usesrc clientip
	option httpchk OPTIONS /
	server srv40_srv_444 192.168.0.40:444 check inter 10000 weight 1 check-ssl

	backend ba_sub2_SSL_http
	mode http
	source 0.0.0.0 usesrc clientip
	option httpchk OPTIONS /
	server srv40_srv_444 192.168.0.40:444 ssl check inter 10000 weight 1

	backend ba_sub3_SSL_http
	mode http
	source 0.0.0.0 usesrc clientip
	option httpchk OPTIONS /
	server srv40_srv_445 192.168.0.40:442 ssl check inter 10000 weight 1