sinjuginas/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

DOC: use the req.ssl_sni in examples

Browse Source 
This patch should be backported to at least 2.0
This commit is contained in:
Alex 2021-06-05 13:23:08 +02:00 committed by Willy Tarreau
parent 5e560e80c7
commit 5c866200d4
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
doc/configuration.txt
View File

@ -13228,16 +13228,16 @@ use-server <server> unless <condition>
The "use-server" statement works both in HTTP and TCP mode. This makes it
suitable for use with content-based inspection. For instance, a server could
be selected in a farm according to the TLS SNI field when using protocols with
implicit TLS (also see "req_ssl_sni"). And if these servers have their weight
implicit TLS (also see "req.ssl_sni"). And if these servers have their weight
set to zero, they will not be used for other traffic.
Example :
# intercept incoming TLS requests based on the SNI field
use-server www if { req_ssl_sni -i www.example.com }
use-server www if { req.ssl_sni -i www.example.com }
server www 192.168.0.1:443 weight 0
use-server mail if { req_ssl_sni -i mail.example.com }
use-server mail if { req.ssl_sni -i mail.example.com }
server mail 192.168.0.1:465 weight 0
use-server imap if { req_ssl_sni -i imap.example.com }
use-server imap if { req.ssl_sni -i imap.example.com }
server imap 192.168.0.1:993 weight 0
# all the rest is forwarded to this server
server default 192.168.0.2:443 check
@ -18727,7 +18727,7 @@ ssl_fc_sni : string
matching the HTTPS host name (253 chars or less). The SSL library must have
been built with support for TLS extensions enabled (check haproxy -vv).
This fetch is different from "req_ssl_sni" above in that it applies to the
This fetch is different from "req.ssl_sni" above in that it applies to the
connection being deciphered by HAProxy and not to SSL contents being blindly
forwarded. See also "ssl_fc_sni_end" and "ssl_fc_sni_reg" below. This
requires that the SSL library is built with support for TLS extensions
@ -18998,13 +18998,13 @@ req_ssl_sni : string (deprecated)
the example below. See also "ssl_fc_sni".
ACL derivatives :
req_ssl_sni : exact string match
req.ssl_sni : exact string match
Examples :
# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend bk_allow if { req_ssl_sni -f allowed_sites }
use_backend bk_allow if { req.ssl_sni -f allowed_sites }
default_backend bk_sorry_page
req.ssl_st_ext : integer