haproxy ssl passthrough

[lebernd]

Hello everybody,

I have some questions around the haproxy plugin.

Frontend:
1) can someone tell me a standard/ or differences between the several "listening ip" settings in howtos like:
- 127.0.0.1:port
- a predefined virtual ip-address like 192.168.. or 10...
- the 0.0.0.0:port setting

I have taken the one in the middle, but I'm not sure why. Will all settings "survive" a changing WAN-ip?

2) The options field:
I have entered there:

Code: [Select]

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
because I found something in the haproxy forum: https://discourse.haproxy.org/t/ssl-pass-through-yields-ssl-errors/4206 telling me to do so...
It works with it and won't work without it... I'm not quite sure if it is related to the first question.
Nor what it is. If it is a bug - do I have to go to github?

3) TCP or SSL/HTTPS (TCP) ?
It didn't work with SSL/HTTPS (TCP) until I changed it to TCP
As I turned it back from TCP to SSL/HTTPS (TCP) it is working too. What's the difference why choose the one over the other?
It somehow seams that there is something with the rewrite of the config? I noticed some persisting of the default/offloading settings when changing the config: HSTS setting would persist in the SSL/HTTPS (TCP) settings. Not quite sure though.

Best regards,
Bernd