| .. | ||
| gitea-www | ||
| haproxy-certificates | ||
| pages-www | ||
| .gitignore | ||
| dhparam.pem | ||
| docker-compose.yml | ||
| gitea.Caddyfile | ||
| haproxy.cfg | ||
| pages.Caddyfile | ||
| README.md | ||
| test.sh | ||
HAProxy with SNI & Host-based rules
This is a proof of concept, enabling HAProxy to use either SNI to redirect to backends with their own HTTPS certificates (which are then fully exposed to the client; HAProxy only proxies on a TCP level in that case), as well as to terminate HTTPS and use the Host header to redirect to backends that use HTTP (or a new HTTPS connection).
How it works
- The
http_redirect_frontendis only there to listen on port 80 and redirect every request to HTTPS. - The
https_sni_frontendlistens on port 443 and chooses a backend based on the SNI hostname of the TLS connection. - The
https_termination_backendpasses all requests to a unix socket (using the plain TCP data). - The
https_termination_frontendlistens on said unix socket, terminates the HTTPS connections and then chooses a backend based on the Host header.
In the example (see haproxy.cfg), the pages_backend is listening via HTTPS and is providing its own HTTPS certificates, while the gitea_backend only provides HTTP.
How to test
docker-compose up & ./test.sh docker-compose down # For manual testing: all HTTPS URLs connect to localhost:443 & certificates are not verified. ./test.sh [curl-options...] <url> 