You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
76e5d8e77c
|
2 years ago | |
|---|---|---|
| .. | ||
| gitea-www | 2 years ago | |
| haproxy-certificates | 2 years ago | |
| pages-www | 2 years ago | |
| .gitignore | 2 years ago | |
| README.md | 2 years ago | |
| dhparam.pem | 2 years ago | |
| docker-compose.yml | 2 years ago | |
| gitea.Caddyfile | 2 years ago | |
| haproxy.cfg | 2 years ago | |
| pages.Caddyfile | 2 years ago | |
| test.sh | 2 years ago | |
README.md
HAProxy with SNI & Host-based rules
This is a proof of concept, enabling HAProxy to use either SNI to redirect to backends with their own HTTPS certificates (which are then fully exposed to the client; HAProxy only proxies on a TCP level in that case), as well as to terminate HTTPS and use the Host header to redirect to backends that use HTTP (or a new HTTPS connection).
How it works
- The
http_redirect_frontendis only there to listen on port 80 and redirect every request to HTTPS. - The
https_sni_frontendlistens on port 443 and chooses a backend based on the SNI hostname of the TLS connection. - The
https_termination_backendpasses all requests to a unix socket (using the plain TCP data). - The
https_termination_frontendlistens on said unix socket, terminates the HTTPS connections and then chooses a backend based on the Host header.
In the example (see haproxy.cfg), the pages_backend is listening via HTTPS and is providing its own HTTPS certificates, while the gitea_backend only provides HTTP.
How to test
docker-compose up &
./test.sh
docker-compose down
# For manual testing: all HTTPS URLs connect to localhost:443 & certificates are not verified.
./test.sh [curl-options...] <url>
