1
20.7 Legacy Series / HAProxy map SNI TLS extension (TCP inspection) to backend
« on: October 14, 2020, 07:16:57 pm »
Hello,
I'm experimenting with OPNsense and have successfully configured it for hostname redirection to specific backends over HTTP and HTTPS. This involves creating two conditions for each hostname, one for HTTP using the "Host start with" (or other host matching condition like contains, matches, etc...), and another one for HTTPS using the equivalent SNI TLS extension starts with (TCP request content inspection) (or contains, matches, etc...).
Then, combining those two conditions in a rule with an OR logical operator pointing to the specific backend we want to use for this hostname and activating this rule in a Public Service (frontend) does the trick.
Obviously, as the number of hostnames a system has to respond to increases, the management of such rules will quickly become tedious.
Using the "Map domains to backend pools using a map file" in a single rule allows to direct as many hostnames as present in the map file to as many backends over HTTP, wonderful, simple, clean and manageable!
Unfortunately, as far as I can tell, this does NOT seem to work for SNI TLS inspection
Or at least I wasn't able to figure out how it could be achieved using the available Rule functions...
I guess a potential solution would be to offload TLS handshake to the Firewall, but for various reasons I'd prefer not to go this way.
Can anyone tell me whether it is currently possible to achieve SNI TLS inspection redirection using a map file in OPNsense 20.7.3 and HAProxy 2.24?
Any hint would be welcome, thank you.
Sincerely.
I'm experimenting with OPNsense and have successfully configured it for hostname redirection to specific backends over HTTP and HTTPS. This involves creating two conditions for each hostname, one for HTTP using the "Host start with" (or other host matching condition like contains, matches, etc...), and another one for HTTPS using the equivalent SNI TLS extension starts with (TCP request content inspection) (or contains, matches, etc...).
Then, combining those two conditions in a rule with an OR logical operator pointing to the specific backend we want to use for this hostname and activating this rule in a Public Service (frontend) does the trick.
Obviously, as the number of hostnames a system has to respond to increases, the management of such rules will quickly become tedious.
Using the "Map domains to backend pools using a map file" in a single rule allows to direct as many hostnames as present in the map file to as many backends over HTTP, wonderful, simple, clean and manageable!
Unfortunately, as far as I can tell, this does NOT seem to work for SNI TLS inspection
Or at least I wasn't able to figure out how it could be achieved using the available Rule functions...
I guess a potential solution would be to offload TLS handshake to the Firewall, but for various reasons I'd prefer not to go this way.
Can anyone tell me whether it is currently possible to achieve SNI TLS inspection redirection using a map file in OPNsense 20.7.3 and HAProxy 2.24?
Any hint would be welcome, thank you.
Sincerely.