5

I have a HAproxy 1.5 setup which offloads SSL in front of a couple of webservers (this way, they deal only with HTTP)

My SSL certificate is a wildcard and we are balancing to different backends based on the FQDN.

My frontend config look like this :

...
frontend my-frontend
    bind            ip:443 ssl crt /var/etc/haproxy/wildcard_cert.pem  
    mode            http
    log             global
    option          httplog
    option          forwardfor

    use_backend     my-backend      if { ssl_fc_sni my.domain.org }
    use_backend     my-backend2     if { ssl_fc_sni my2.domain.org }

    acl             is-domain   hdr(host) -i my.domain.org
    acl             is-domain2  hdr(host) -i my2.domain.org
    use_backend     my-backend if is-domain
    use_backend     my-backend2 if is-domain2
...

The special option ssl_fc_sni can be used in case of SSL offloading to access to the SNI value (where the other option req_ssl_sni applies in case of SSL pass-through)

http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#ssl_fc_sni

I wanted to know if ssl_fc_sni perform faster than HTTP Header extraction ACLs? Is there a chance for HAProxy to extract the SNI value and use it before reading the HTTP content, extracting the Host: Header and computing my second ACL?

Or the performance are just the same?

Thanks,

Thibaut A.
  • 161
  • 2
  • 8

1 Answers1

5

I've asked the same question on the haproxy mailing list and I got an answer:

  1. ssl_fc_sni performs faster than hdr(host), but it will be imperceptible.
  2. It's a bad idea to use the SNI value as a backend selector. The basic hdr(host) is definitely more standard, clean and safe.

Mailing list archive : http://marc.info/?l=haproxy&m=144490809910124&w=2

Tombart
  • 30,520
  • 16
  • 123
  • 136
Thibaut A.
  • 161
  • 2
  • 8
  • Willy's post seems to be implying that the SNI can be more easily spoofed than the host, is that why it is "more standard, clean and safe"? – moodboom May 10 '17 at 04:06