Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
HAProxy no SNI
« previous
next »
Print
Pages: [
1
]
Author
Topic: HAProxy no SNI (Read 88 times)
lfirewall1243
Hero Member
Posts: 1386
Karma: 45
HAProxy no SNI
«
on:
November 05, 2024, 07:45:00 pm »
Hello everyone,
at the moment I am trying to filter via SNI on HaProxy for my SMTPS and IMAPS connections.
Its all working fine when I select the default backend for SMTPS and IMAPS.
So I tried to create a condition where the SNI matches "smtp.mydomain.de" and "imap.mydomain.de".
Than no connection is possible.
The HAProxy is only in TCP Mode (working fine when default Backend is selected).
I already did a wireshark pcap on my WAN Interface, where the HAProxy is listening. The first TLS package show thats the SNI is set correctly "Client Hello (SNI=smtp.mydomain.de)".
So seems like HAProxy isn't respecting the SNI.
All Updates are installed.
Maybe anyone has an idea.
Logged
(Unoffial Community) OPNsense Telegram Group:
https://t.me/joinchat/0o9JuLUXRFpiNmJk
PM for paid support
meyergru
Hero Member
Posts: 1683
Karma: 165
IT Aficionado
Re: HAProxy no SNI
«
Reply #1 on:
November 05, 2024, 07:50:59 pm »
Did you use ssl_fc_sni, instead of req.ssl_sni? The latter only works with TLS, not with TCP.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
lfirewall1243
Hero Member
Posts: 1386
Karma: 45
Re: HAProxy no SNI
«
Reply #2 on:
November 05, 2024, 07:55:55 pm »
Thanks for the reply.
I already enabled strict_sni in my frontend. After that a connection from Apple Mail is working, but thunderbird and other clients not
Logged
(Unoffial Community) OPNsense Telegram Group:
https://t.me/joinchat/0o9JuLUXRFpiNmJk
PM for paid support
lfirewall1243
Hero Member
Posts: 1386
Karma: 45
Re: HAProxy no SNI
«
Reply #3 on:
November 05, 2024, 08:04:46 pm »
Ah found it. Seems to work now.
Thank you a lot!
Logged
(Unoffial Community) OPNsense Telegram Group:
https://t.me/joinchat/0o9JuLUXRFpiNmJk
PM for paid support
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
HAProxy no SNI