我有这样的场景
通过 HTTPS 和端口 443 和 440 到我的 HAProxy 服务器的一些连接收入
连接 sni 为:subbbx.example1.com 和 subyyyyy.example2.com(例如)
我需要什么:
当传入连接具有 example1.com 和任何子域时,连接将转发到 IP1 当传入连接具有 example2.com 和任何子域时,连接将转发到 IP2 否则在任何其他 sni 连接上转发到 IP3
可以提供我配置吗?
注意:HAProxy 服务器没有 sll 证书。但 ip1 服务器和 ip2 服务器和 ip3 服务器有与 sni 相关的证书
谢谢
因为我在 HAProxy 是零,所以我不知道该怎么做
未经测试,但是这个片段似乎可以满足你的要求:
# Haproxy configuration for SSL request passthrough to different backend based on SNI read from Handshaking stage
# The Loadbalance will not decode the encrpted data but transparently transfer to the backend server in Private subnet.
# With such configuration, you can install multiply services with its own SSL certificate in backend in different EC2 instance, but only explosure to public internet with one Loadbalance IP. There is no need to install SSL certificate in Loadbalancer level.
# Ref:
# How to support wildcard sni: https://stackoverflow.com/questions/24839318/haproxy-reverse-proxy-sni-wildcard
# https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
# https://stuff-things.net/2016/11/30/haproxy-sni/
#---------------------------------------------------------------------
# Proxys to the webserver backend port 443
#---------------------------------------------------------------------
frontend main_ssl
bind :443
mode tcp
option tcplog
# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend aaa_ssl if { req_ssl_sni -m end .aaa.domain.com }
use_backend bbb_ssl if { req_ssl_sni -m end .bbb.domain.com }
default_backend static
backend aaa_ssl
mode tcp
balance roundrobin
server aaa_ssl_server x.x.x.x:443 check
backend bbb_ssl
mode tcp
balance roundrobin
server bbb_ssl_server x.x.x.x:443 check
更改后端 IP 地址,并根据您的情况将
.aaa.domain.com.bbb.domain.com.example1.com.example2.comreq_ssl_sni -m endHAProxy 服务器没有 sll 证书。
请注意,这不适用于使用 加密 SNI 的连接,因为 SNI 在直通模式下对 HAProxy 不可见。