Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support SNI mode in TCP #751

Closed
tamalsaha opened this issue Dec 8, 2017 · 4 comments

Comments

Projects
None yet
3 participants
@tamalsaha
Copy link
Member

commented Dec 8, 2017

From Kirill Gavrilov on Slack:
HTTP mode with sni means that you will have to terminate TLS (im probably wrong here)? I would not like to terminate but pass-through still able to make rules based on sni.

Here is an examples with ssl/tls passthrough in TCP mode with sni acl https://www.haproxy.com/documentation/aloha/7-0/deployment-guides/tls-layouts/

@Zhuvikin

This comment has been minimized.

Copy link

commented Dec 8, 2017

Hi @Tamal. Thank you for the issue created. Loadbalancing traffic based on sni doesn't require SSL termination. That's what sni was designed for. An ability to detect sni in haproxy is achieved through the extension.

@diptadas

This comment has been minimized.

Copy link
Contributor

commented Apr 10, 2018

@tamalsaha

This comment has been minimized.

Copy link
Member Author

commented Apr 11, 2018

TCP logic:

spec.TLS found and noTLS == false ---> `bind ssl crt crt_file_path`  // TLS terminated at haproxy
  - validate that #(matching backends) == 1 ?


spec.TLS found and noTLS == true  ---> `bind` // no tls termination at haproxy
  - validate that #(matching backends) == 1 ?


spec.TLS ! found and  >1 TCP backend for same port  ---> `bind ssl`  // SSL nto terminated but SNI used
  - validate that all matching backends have noTLS = false
  snippet:
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend app1-servers if { req_ssl_sni -i app1.example.com }
  use_backend app2-servers if { req_ssl_sni -i app2.example.com }
  use_backend app3-servers if { req_ssl_sni -i app3.example.com }


spec.TLS ! found and 1 backend svc for port         ---> `bind`  // example: https, ssh, mysql


host:
tcp:
  port: <------------
  backend:
    service:
    port:
@tamalsaha

This comment has been minimized.

Copy link
Member Author

commented May 3, 2018

--------------------------------------
ssl-passthrough =>> no TLS termination (converts to S-2 or S-3, noTLS = true)

host found in spec.TLS && noTLS = false =>>> terminate TLS (S-1)

--------------------------------------

S-1:
host found in spec.TLS && noTLS = false =>>> terminate TLS

(
S-2:
host found in spec.TLS && noTLS = true =>>> Do not terminate TLS

S-3:
host ! found in spec.TLS =>>> Do not terminate TLS
)

--------------------------------------

- Same port, S-1 and (S-2 or S-3) (one host wants to terminate TLS, one host does not want to terminate TLS): **Validation Error**


- #(S-2 or S3) >= 1 and host is set : OK
{
	== 1: use backend

	> 1: use SNI

		mode tcp
		tcp-request inspect-delay 5s
		tcp-request content accept if { req_ssl_hello_type 1 }
		use_backend app1-servers if { req_ssl_sni -i app1.example.com }
		use_backend app2-servers if { req_ssl_sni -i app2.example.com }
		use_backend app3-servers if { req_ssl_sni -i app3.example.com }
}

- #(S-2 or S3) >= 1 and (host is not set for one or more): **Validation Error**


- #(S-1) == 1 and #(S-2 or S-3) == 0  `bind ssl crt path_to_crt_file`
{
	host == "xyz.com"   >>>> OK   `use backend  xyz`

	host == `*.xyz.com` >>>>> OK  `use backend  xyz`

	host == `*`         >>>>>> OK `use backend  xyz`
}


- #(S-1) > 1 and #(S-2 or S-3) == 0 : ? (check)  `bind ssl crt path_to_crt_dir`
{
	host == "xyz.com", "abc.com"

		use_backend app1-servers if { req_ssl_sni -i xyz.com }
		use_backend app2-servers if { req_ssl_sni -i abc.com }


	host == `*.xyz.com`, `*.abc.com`, `hij.com`

		use_backend xyz-servers if { ***_end(req_ssl_sni) -i .xyz.com }
		use_backend abc-servers if { ***_end(req_ssl_sni) -i .abc.com }
		use_backend hij-servers if { req_ssl_sni -i hij.com }


	host == `*` >>>> **Validation Error**
}


- #(S-1) >=1 and ssl-passthrough == **Validation Error**
{
	host == "xyz.com"
	host == `*.xyz.com`
	host == `*`
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.