||6 months ago|
|gitea-www||6 months ago|
|haproxy-certificates||6 months ago|
|pages-www||6 months ago|
|.gitignore||6 months ago|
|README.md||6 months ago|
|dhparam.pem||6 months ago|
|docker-compose.yml||6 months ago|
|gitea.Caddyfile||6 months ago|
|haproxy.cfg||6 months ago|
|pages.Caddyfile||6 months ago|
|test.sh||6 months ago|
HAProxy with SNI & Host-based rules
This is a proof of concept, enabling HAProxy to use either SNI to redirect to backends with their own HTTPS certificates (which are then fully exposed to the client; HAProxy only proxies on a TCP level in that case), as well as to terminate HTTPS and use the Host header to redirect to backends that use HTTP (or a new HTTPS connection).
How it works
http_redirect_frontendis only there to listen on port 80 and redirect every request to HTTPS.
https_sni_frontendlistens on port 443 and chooses a backend based on the SNI hostname of the TLS connection.
https_termination_backendpasses all requests to a unix socket (using the plain TCP data).
https_termination_frontendlistens on said unix socket, terminates the HTTPS connections and then chooses a backend based on the Host header.
In the example (see haproxy.cfg), the
pages_backend is listening via HTTPS and is providing its own HTTPS certificates, while the
gitea_backend only provides HTTP.
How to test
docker-compose up & ./test.sh docker-compose down # For manual testing: all HTTPS URLs connect to localhost:443 & certificates are not verified. ./test.sh [curl-options...] <url>