Messages

[sni req.hdr(host),host_only]

Hi,

I have some new information from the haproxy guys now. Great support from them, thx!

Fact:
Haproxy can handle dynamic host header values for "ssl_tls_sni" header.
In the server settings part of the haproxy config file the value "sni req.hdr(host),host_only" is needed instead of "sni str("my static server hostname")" from the actual setting.
 
I now request new OPNsense haproxy config paramter setting to enable "dynamic hostname" in the haproxy config file.

Thanks for your support or questions.
BR,
Dieter

We're using OPNsense(s) running version 25.1 with haproxy in front of several VMs with a lot of webservers having a lot of different domain-/hostnames.
After the last apache CVE patch about 3 weeks ago (at least on ubuntu systems) we have the problem with the "Error 421 Misdirected Request" message.
The are a lot of posts describing how to solve this on plesk or similar systems or native nginx proxies. But what about haproxy?
The problem is the missing "SSL_TLS_SNI" header in the requests, haproxy is forwarding to the matching target webserver.
Does anyone have the same problem and maybe sovled this problem already?

We tried to set up an additional an complrte new firewall with OPNsense version 25.7, but this does not solve this problem so far.
I can't find any haproxy settings in either OPNsense versions to fix the problem.

Thanks in advance,
DT