tcp-request inspect-delay 5stcp-request content accept if { req_ssl_hello_type 1 }
This should work for any TCP-based SSL/TLS encrypted service in passthrough (HAProxy: TCP) mode... It does NOT work for STARTTLS!In this example I use TCP port 443.HAProxy plugin: Create "Real Server" (enter name, IP/FQDN and port number if different from 443, the rest can be left at default)HAProxy plugin: Create "Backend Pool" (enter name, set mode to TCP and select the real server from step 1)HAProxy plugin: Create "Condition" (enter name ["traffic_ssl"], condition type is "custom condition (option pass-through)" with value "req_ssl_hello_type 1")HAProxy plugin: Create "condition" (enter name ["myservice_sni"], condition type is "SNI TLS extension matches (TCP request content inspection)" with value "myservice.example.com" or whatever your FQDN is)HAProxy plugin: Create "Rule" (enter name ["request_inspect_delay"], select no condition, function is "tcp-request inspect delay" with value "5s" or whatever suits you)HAProxy plugin: Create "Rule" (enter name ["request_content_accept_ssl"], select condition of 3 ["traffic_ssl"], function is "tcp-request content accept")HAProxy plugin: Create "Rule" (enter name ["myservice_sni"], select condition of 4 ["myservice_sni"], function is "Use specific backend pool" with your pool from 2)HAProxy plugin: Create "Public service" (enter name ["https_passthrough"], choose a listen address [":443" for all], type is "TCP" and select the 3 rules created earlier)HAProxy plugin: Enable plugin or test/applyFirewall: allow incoming traffic to WAN (address) or whatever for TCP port 443.That works at least for me. If you have double NAT you would need to disable port randomization for the proxied port...Does that help you?
I understand that both servers run both website, correct?Did you make sure that in rule ["myservice_sni"] you changed the "Logical operator for conditions" to "OR"? It is obviously not possible to match both conditions at the same time...
Please, be sure that the mydomain.com subdomain is currently pointing (DNS) to this server.Saving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator webroot, Installer NoneObtaining a new certificatePerforming the following challenges:http-01 challenge for mydomain.comUsing the webroot path /var/www/mydomain.com/htdocs for all unmatched domains.Waiting for verification...Cleaning up challengesFailed authorization procedure. mydomain.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mydomain.com/.well-known/acme-challenge/eI3IjJ4OmYJ2RVQkDwm3QsBmp5Jl0QnlbC9RuEYkvtY: Timeout during connect (likely firewall problem)IMPORTANT NOTES: - The following errors were reported by the server: Domain: mydomain.com Type: connection Detail: Fetching http://mydomain.com/.well-known/acme-challenge/eI3IjJ4OmYJ2RVQkDwm3QsBmp5Jl0QnlbC9RuEYkvtY: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.[ERROR] Unable to create the new certificate!
Services -> HAProxy -> Virtual Services -> Backend Pool -> Edit ServerEnable "advanced mode"Field:Option pass-throughCode: [Select]# add X-FORWARDED-FORoption forwardfor# add X-CLIENT-IP# http-request add-header X-CLIENT-IP %[src]
