[SOLVED] Haproxy TLS terminating and passthrough based on sni

Haproxy TLS terminating and passthrough based on sni

I have similar path for the requests:

client mydomain.com -> nlb:443 -> haproxy -> cloudfront
client a.mydomain.com -> nlb:443 -> haproxy -> target_group_a

Main idea is do tls passthrough for the main domain name and send it to cloudfront without TLS termination. Requests into a.mydomain.com should pass to target_group_a and it should terminate tls. So my config for this is:

frontend main
    bind *:443
    mode tcp
    option tcplog
    log global

    tcp-request inspect-delay 5s

    acl is_main req_ssl_sni -i "${pDomainName}"
    acl is_a req_ssl_sni -m beg "a"

    tcp-request content accept if { req_ssl_hello_type 1 }

    use_backend main if is_main
    use_backend a if is_a

backend main
    mode tcp
    option ssl-hello-chk
    server cloudfront "${pCloudFrontUrl}:443" check resolvers aws

backend a
    mode tcp
    server local 127.0.0.1:9666 send-proxy

frontend a
    bind *:9666 ssl crt server.pem ca-file ca.pem verify required accept-proxy
    mode http

    default_backend proxy_a

backend proxy_a
    mode http
    server elb "${pServer}:80" check resolvers aws

Main record pass successfull and I get CloudFront SSL termination and everything is okay, but not for a.mydomain.com.

Also I tried to watch what SNI Haproxy is capture but I got only capture0: - in logs. I did like (right after tcp inspect line)

tcp-request content capture req_ssl_sni len 15
log-format "capture0: %[capture.req.hdr(0)]"

and it's strange because routing works.

I've tried a lot of possibilities.. For now I get SSL peer handshake failed, the server most likely requires a client certificate to connect error, but if I do listen frontend a on another port and in http mode everyting works fine.

Maybe I miss something basic or not, but I'm stuck on it for ages and maybe someone could help me.

Solution

For someone who is suffering or will suffer with that situation, just be sure that you are testing with gnu version of curl (or build it with properly libraries) because it doesn't work for me with BSD curl. My curl version and libs

curl 7.66.0 (x86_64-apple-darwin17.7.0) libcurl/7.66.0 SecureTransport zlib/1.2.11
Release-Date: 2019-09-11
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile libz NTLM NTLM_WB SSL UnixSockets