Add SNI support as requested in #1

This commit is contained in:
genofire 2020-10-03 03:04:44 +02:00
parent 276cff4373
commit 02fdf86327
4 changed files with 58 additions and 7 deletions

View File

@ -9,14 +9,18 @@ haproxy_http:
addr: '2a01:238:4246:1e00:2207:546f:6a47:6050' addr: '2a01:238:4246:1e00:2207:546f:6a47:6050'
- host: 'cloud.ccchb.de' - host: 'cloud.ccchb.de'
addr: '2a01:4f8:150:926f::5' addr: '2a01:4f8:150:926f::5'
- host: 'dev.ccchb.de'
addr: '2a01:4f8:150:926f::9'
haproxy_https: haproxy_sni:
- host: 'ccchb.de' - host: 'ccchb.de'
addr: '2a01:238:4246:1e00:2207:546f:6a47:6050' addr: '2a01:238:4246:1e00:2207:546f:6a47:6050'
- host: 'www.ccchb.de' - host: 'www.ccchb.de'
addr: '2a01:238:4246:1e00:2207:546f:6a47:6050' addr: '2a01:238:4246:1e00:2207:546f:6a47:6050'
- host: 'cloud.ccchb.de' - host: 'cloud.ccchb.de'
addr: '2a01:4f8:150:926f::5' addr: '2a01:4f8:150:926f::5'
- host: 'dev.ccchb.de'
addr: '2a01:4f8:150:926f::9'
bhyve_ipv4: 10.0.0.0 bhyve_ipv4: 10.0.0.0
bhyve_ipv6: 2a01:4f8:150:926f::4 bhyve_ipv6: 2a01:4f8:150:926f::4

View File

@ -122,8 +122,9 @@
- defaults.cfg - defaults.cfg
- global.cfg - global.cfg
- http.cfg - http.cfg
- sni.cfg
- name: Config HAProxy HTTP backends - name: Configure HAProxy HTTP backends
template: template:
dest: '/usr/local/etc/haproxy/http_{{ item.host }}.cfg' dest: '/usr/local/etc/haproxy/http_{{ item.host }}.cfg'
src: http_host.cfg.j2 src: http_host.cfg.j2
@ -134,6 +135,31 @@
- Reload HAProxy - Reload HAProxy
with_items: '{{ haproxy_http }}' with_items: '{{ haproxy_http }}'
- name: Configure HAProxy SNI backends
template:
dest: '/usr/local/etc/haproxy/sni_{{ item.host }}.cfg'
src: sni_host.cfg.j2
owner: root
group: wheel
mode: 0444
notify:
- Reload HAProxy
with_items: '{{ haproxy_sni }}'
- name: Make sure the HTTP map exists
command: env touch /usr/local/etc/haproxy/http.map
args:
creates: /usr/local/etc/haproxy/http.map
notify:
- Reload HAProxy
- name: Make sure the SNI map exists
command: env touch /usr/local/etc/haproxy/sni.map
args:
creates: /usr/local/etc/haproxy/sni.map
notify:
- Reload HAProxy
- name: Enable HAProxy HTTP backends - name: Enable HAProxy HTTP backends
lineinfile: lineinfile:
path: /usr/local/etc/haproxy/http.map path: /usr/local/etc/haproxy/http.map
@ -143,13 +169,14 @@
- Reload HAProxy - Reload HAProxy
with_items: '{{ haproxy_http }}' with_items: '{{ haproxy_http }}'
- name: Make sure the http map exists - name: Enable HAProxy SNI backends
command: env touch /usr/local/etc/haproxy/http.map lineinfile:
args: path: /usr/local/etc/haproxy/sni.map
creates: regex: '^{{ item.host }} '
/usr/local/etc/haproxy/http.map line: '{{ item.host }} sni_{{ item.host }}'
notify: notify:
- Reload HAProxy - Reload HAProxy
with_items: '{{ haproxy_sni }}'
- name: Flush handlers - name: Flush handlers
meta: flush_handlers meta: flush_handlers

View File

@ -0,0 +1,9 @@
frontend sni
log global
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
bind ${BIND_V4}:443
bind ${BIND_V6}:443
use_backend %[req_ssl_sni,lower,map(/usr/local/etc/haproxy/sni.map)]

View File

@ -0,0 +1,11 @@
# {{ ansible_managed }}
backend sni_{{ item.host }}
mode tcp
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
option ssl-hello-chk
server {{ item.host }} {{ item.addr }}:{{ item.port | default("443") }} check