Welcome! Log In Create A New Profile

Advanced

Help with backend server sni setup

Posted by Aleksandar Lazic 
Aleksandar Lazic
Help with backend server sni setup
July 30, 2018 01:40PM
Hi.

I have the following Setup.

APP -> Internal Haproxy -(HTTPS)-> external HAProxy -> APP

The external HAProxy is configured with multiple TLS Vhost.

I assume that when I add `server .... sni appinternal.domain.com` to the
server line will be set the hostname field in the TLS session to this
value.

I'm not sure if this could work from the doc reading.

https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.2-sni

Could this work?

Best regards
Aleks
Lukas Tribus
Re: Help with backend server sni setup
July 30, 2018 04:50PM
On Mon, 30 Jul 2018 at 13:30, Aleksandar Lazic <[email protected]> wrote:
>
> Hi.
>
> I have the following Setup.
>
> APP -> Internal Haproxy -(HTTPS)-> external HAProxy -> APP
>
> The external HAProxy is configured with multiple TLS Vhost.

Never use SNI for Vhosting. It should work with the host header only.
SNI should only be used for certificate selection, otherwise
overlapping certificates will cause wrong forwarding decisions.



> I assume that when I add `server .... sni appinternal.domain.com` to the
> server line will be set the hostname field in the TLS session to this
> value.

No, the sni keyword expects a fetch expression.

Set it to the host header for example:
sni req.hdr(host)

Or to a static string:
sni str(www.example.com)


cheers,
lukas
Aleksandar Lazic
Re: Help with backend server sni setup
July 30, 2018 07:40PM
Hi.

On 30/07/2018 16:39, Lukas Tribus wrote:
>On Mon, 30 Jul 2018 at 13:30, Aleksandar Lazic <[email protected]> wrote:
>>
>> Hi.
>>
>> I have the following Setup.
>>
>> APP -> Internal Haproxy -(HTTPS)-> external HAProxy -> APP
>>
>> The external HAProxy is configured with multiple TLS Vhost.
>
>Never use SNI for Vhosting. It should work with the host header only.
>SNI should only be used for certificate selection, otherwise
>overlapping certificates will cause wrong forwarding decisions.

The openshift router, based on haproxy 1.8, looks for the sni hostname
for routing.

https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template#L198-L209

Due to this fact we *must* set the ssl hostname

>> I assume that when I add `server .... sni appinternal.domain.com` to
>> the server line will be set the hostname field in the TLS session to
>> this value.
>
>No, the sni keyword expects a fetch expression.
>
>Set it to the host header for example:
>sni req.hdr(host)
>
>Or to a static string:
>sni str(www.example.com)

When I take a look into the code I see this line.

http://git.haproxy.org/?p=haproxy-1.8.git;a=blob;f=src/backend.c;hb=ada31afbc1e9095d494973cad91a4e507c4c1d9b#l1255
ssl_sock_set_servername(srv_conn, smp->data.u.str.str);

and the implementation of this function is here
http://git.haproxy.org/?p=haproxy-1.8.git;a=blob;f=src/ssl_sock.c;hb=ada31afbc1e9095d494973cad91a4e507c4c1d9b#l5922

The blocks begins here.
http://git.haproxy.org/?p=haproxy-1.8.git;a=blob;f=src/backend.c;hb=ada31afbc1e9095d494973cad91a4e507c4c1d9b#l1236

As far as I understood this block and I'm not sure that I have it
understood right the fetch sample checks for the string, as you have
written, AND SET the hostname into the SSL/TLS header for SNI.

Now after I looked into the code and read the doc again it's clear now
for me.

This options set's

---- cite from doc
the host name sent in the SNI TLS extension to the server.
----

Please apologise for the rush and my stupidity.

>cheers,
>lukas

Best greetings
aleks
Sorry, only registered users may post in this forum.

Click here to login