Недавно мне удалось настроить HAproxy.cfg для запуска HTTPS и SSTP на одном и том же порте и может распознавать некоторый трафик веб-сайтов по SNI. Однако, поскольку у меня несколько доменов, я бы предпочел распознавать SSTP и использовать HTTPS в качестве default_backend. Как настроить HAproxy с SSTP и HTTPS
Если я сравниваю SSTP и HTTPS с tshark, я вижу следующие различия:
HTTPS с использованием IP-адреса:
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
....
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 61
Extension: status_request (len=5)
Type: status_request (5)
Length: 5
Certificate Status Type: OCSP (1)
Responder ID list Length: 0
Request Extensions Length: 0
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: SessionTicket TLS (len=0)
Type: SessionTicket TLS (35)
Length: 0
Data (0 bytes)
Extension: supported_groups (len=8)
Type: supported_groups (10)
Length: 8
Supported Groups List Length: 6
Supported Groups (3 groups)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
Supported Group: secp521r1 (0x0019)
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: signature_algorithms (len=22)
...
HTTPS с использованием имени домена:
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
....
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 331
Extension: status_request (len=5)
Type: status_request (5)
Length: 5
Certificate Status Type: OCSP (1)
Responder ID list Length: 0
Request Extensions Length: 0
Extension: server_name (len=26)
Type: server_name (0)
Length: 26
Server Name Indication extension
Server Name list length: 24
Server Name Type: host_name (0)
Server Name length: 21
Server Name: www.example.com
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: SessionTicket TLS (len=0)
Type: SessionTicket TLS (35)
Length: 0
Data (0 bytes)
Extension: supported_groups (len=8)
Type: supported_groups (10)
Length: 8
Supported Groups List Length: 6
Supported Groups (3 groups)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
Supported Group: secp521r1 (0x0019)
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: signature_algorithms (len=22)
...
SSTP:
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
....
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 45
Extension: SessionTicket TLS (len=0)
Type: SessionTicket TLS (35)
Length: 0
Data (0 bytes)
Extension: signature_algorithms (len=22)
...
Extension: heartbeat (len=1)
Type: heartbeat (15)
Length: 1
Mode: Peer allowed to send requests (1)
Есть ли способ в синтаксисе haproxy.cfg проверить наличие Тип статуса сертификата: OCSP или Расширение: сердцебиение ?
Тоже взломал.
Когда я ищу только наличие SNI, мне не нужно перечислять каждый домен, и я могу мириться с ошибками IPv4-адресов.
frontend main 192.168.0.3:443 ssl
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type }
use_backend websites if { req_ssl_sni -m found }
default_backend sstp
В конце концов я нашел документацию по синтаксису на https://www.haproxy.com/de/documentation/hapee/1-7r1/traffic-management/acls/