如何使HAProxy基于SNI路由TCP(使用openssl s

本文介绍了如何使HAProxy基于SNI路由TCP(使用openssl s_client进行测试)?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我想使用HAProxy终止TLS加密的TCP连接，并根据用于启动TLS连接的服务器名称指示将未加密的TCP通信传递给各种后端.

I want to use HAProxy to terminate TLS-encrypted TCP connnections and to pass the unencrypted TCP traffic to various backends based on the Server Name Indication used to initiate the TLS connection.

我在后端服务器上运行3个服务，每个服务都在不同的端口(5001、5002、5003)上. HAProxy绑定到端口5000.我想按名称将连接路由到前2个服务，如果没有匹配项，则路由到第三个.我正在使用openssl s_client启动到HAProxy的连接.但是，在日志中，我可以看到连接仅路由到默认服务器，即SNI似乎被忽略了.

I have 3 services running on a backend server, each on a different port (5001, 5002, 5003). HAProxy binds to port 5000. I'd like to route connections to the first 2 servies by name or to the third if there is not a match. I am initiating the connecton to HAProxy using openssl s_client. However, in the logs I can see that the connections are only ever routed to the default server, i.e. the SNI seems to be ignored.

DNS:

A record demo.sni.example 1.2.3.4 CNAME 1.sni.example pointing to demo.sni.example CNAME 2.sni.example pointing to demo.sni.example

即我希望进行以下路由:

i.e. I'd like the following routing to occur:

SNI = 1.sni.example:5000 -> 1.2.3.4:5001 SNI = 2.sni.example:5000 -> 1.2.3.4:5002 anything else on port 5000 -> 1.2.3.4:5003

haproxy.cfg:

global log stdout format raw local0 info defaults timeout client 30s timeout server 30s timeout connect 5s option tcplog frontend tcp-proxy bind :5000 ssl crt combined-cert-key.pem mode tcp log global tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } use_backend bk_sni_1 if { req.ssl_sni -i 1.sni.example } use_backend bk_sni_2 if { req.ssl_sni -i 2.sni.example } default_backend bk_default backend bk_sni_1 mode tcp log global balance roundrobin server server1 1.2.3.4:5001 check backend bk_sni_2 mode tcp log global balance roundrobin server server1 1.2.3.4:5002 check backend bk_default mode tcp log global balance roundrobin server server1 1.2.3.4:5003 check

combined-cert-key.pem是一个自签名证书文件，加上密钥，其中CN是服务器的IP(1.2.3.4)，并且具有所有DNS值和IP的SAN.

combined-cert-key.pem is a self-signed certificate file plus key where the CN is the IP of the server (1.2.3.4) and there are SANs of all DNS values and the IP.

使用openssl s_client发起的连接:

Connections initiated using openssl s_client:

我尝试通过DNS(A和CNAME记录以及IP)进行连接:

I have tried connecting via DNS (A & CNAME records, as well as IP):

echo test | openssl s_client -connect demo.sni.example:5000 -servername 1.sni.example echo test | openssl s_client -connect 1.sni.example:5000 -servername 1.sni.example echo test | openssl s_client -connect 1.2.3.4:5000 -servername 1.sni.example

但是，所有连接都路由到默认后端bk_default.

However, all connections are routed to the default backend bk_default.

是什么导致HAProxy无法识别SNI服务器名? (我正在使用最新的HAProxy docker映像: hub.docker/__/haproxy )

What is causing HAProxy to not recognise the SNI servername? (I am using the latest HAProxy docker image: hub.docker/_/haproxy)

推荐答案

答案是使用 ssl_fc-sni ，而不是req.ssl_sni.前者用于SSL终止的会话，而后者用于TCP直接通过的会话.

The answer is to use ssl_fc-sni, instead of req.ssl_sni. The former is for SSL-terminated sessions, whereas the latter is for sessions where TCP is passed straight through.