From 6cdc654d042ebcf2724ca27c010e0ff73af3f759 Mon Sep 17 00:00:00 2001
From: Daniel afx <daniel@deflax.net>
Date: Mon, 7 Feb 2022 06:09:13 +0200
Subject: [PATCH] switch acls based on SNI

---
 lb/haproxy.cfg | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/lb/haproxy.cfg b/lb/haproxy.cfg
index 6c10563..7927677 100644
--- a/lb/haproxy.cfg
+++ b/lb/haproxy.cfg
@@ -57,13 +57,24 @@ frontend https
     http-response set-header Access-Control-Max-Age 3628800
     http-response set-header Access-Control-Allow-Methods "GET"
 
-    # ACL
-    acl is_allowed src -f /usr/local/etc/haproxy/dballowed.acl
-    acl is_forestnet hdr(host)-i forest.deflax.net
-    acl is_forestdb hdr(host) -i db.forest.deflax.net
-    acl is_osmap hdr(host) -i map.deflax.net
+    # SNI ACLs
+    acl is_forestnet ssl_fc_sni -i forest.deflax.net
+    acl is_forestdb ssl_fc_sni -i db.forest.deflax.net
+    acl is_osmap ssl_fc_sni -i map.deflax.net
     
+    # IP ACls
+    acl is_allowed src -f /usr/local/etc/haproxy/dballowed.acl
+
     tcp-request connection reject if is_forestdb !is_allowed
+    
+    tcp-request inspect-delay 2s
+    tcp-request content accept if { req_ssl_hello_type 1 }
+
+    http-request set-header X-Forwarded-Protocol https
+    http-request set-header X-Forwarded-Proto https
+    http-request set-header X-Forwarded-Ssl on
+    http-request set-header X-Url-Scheme https
+    http-request set-header Host %[ssl_fc_sni]
 
     use_backend forestnet if is_forestnet
     use_backend forestdb if is_forestdb