Typically, when you are hosting multiple sites with HAProxy, you do something like:
1 2 3
This selects the backend to use based on the HTTP Host header.
When you add HTTPS to the mix, there are two ways that HAProxy can handle it, either by terminating SSL or by passing it through.
When HAProxy is terminating SSL, it has the SSL cert and is responsible for encrypting and decrypting the traffic. It may also talk to the backend using HTTPS, but on secure internal network this is usually skipped. In ASCII it looks like:
When HAProxy is passing though HTTPS traffic it simple sends the raw TCP stream through to the backend which has the certificate and handles encryption and decryption.
HAProxy HTTPS setups can be a little tricky. So make sure you have a working one first before adding SNI to the mix.
When using HAProxy to terminate HTTPS connections, you bind a front end to port 443, and give it an SSL certificate:
.pem file needs to contain the private key, the certificate, and
any intermediate certificate as well. Something like:
should do the trick.
All you need to do to enable SNI is to be give HAProxy multiple SSL certificates:
That will cause the right certificate to be automatically selected. After that the Host header can be used just as it would be for HTTP.
In pass-through mode SSL, HAProxy doesn’t have a certificate because it’s not going to decrypt the traffic and that means it’s never going to see the Host header. Instead it needs to be told to wait for the SSL hello so it can sniff the SNI request and switch on that:
1 2 3 4 5 6 7 8 9
Once again, SNI is simple and easy, so why aren’t you using it?