f407fd3ae4
Reviewed-on: https://codeberg.org/Codeberg/pages-server/pulls/319 Reviewed-by: crapStone <codeberg@crapstone.dev> Co-authored-by: pat-s <patrick.schratz@gmail.com> Co-committed-by: pat-s <patrick.schratz@gmail.com> |
||
---|---|---|
.. | ||
gitea-www | ||
haproxy-certificates | ||
pages-www | ||
.gitignore | ||
dhparam.pem | ||
docker-compose.yml | ||
gitea.Caddyfile | ||
haproxy.cfg | ||
pages.Caddyfile | ||
README.md | ||
test.sh |
HAProxy with SNI & Host-based rules
This is a proof of concept, enabling HAProxy to use either SNI to redirect to backends with their own HTTPS certificates (which are then fully exposed to the client; HAProxy only proxies on a TCP level in that case), as well as to terminate HTTPS and use the Host header to redirect to backends that use HTTP (or a new HTTPS connection).
How it works
- The
http_redirect_frontend
is only there to listen on port 80 and redirect every request to HTTPS. - The
https_sni_frontend
listens on port 443 and chooses a backend based on the SNI hostname of the TLS connection. - The
https_termination_backend
passes all requests to a unix socket (using the plain TCP data). - The
https_termination_frontend
listens on said unix socket, terminates the HTTPS connections and then chooses a backend based on the Host header.
In the example (see haproxy.cfg), the pages_backend
is listening via HTTPS and is providing its own HTTPS certificates, while the gitea_backend
only provides HTTP.
How to test
docker-compose up &
./test.sh
docker-compose down
# For manual testing: all HTTPS URLs connect to localhost:443 & certificates are not verified.
./test.sh [curl-options...] <url>