switch acls based on SNI

This commit is contained in:
Daniel afx 2022-02-07 06:09:13 +02:00
parent 11961a80c4
commit 6cdc654d04

View file

@ -57,13 +57,24 @@ frontend https
http-response set-header Access-Control-Max-Age 3628800
http-response set-header Access-Control-Allow-Methods "GET"
# ACL
acl is_allowed src -f /usr/local/etc/haproxy/dballowed.acl
acl is_forestnet hdr(host)-i forest.deflax.net
acl is_forestdb hdr(host) -i db.forest.deflax.net
acl is_osmap hdr(host) -i map.deflax.net
# SNI ACLs
acl is_forestnet ssl_fc_sni -i forest.deflax.net
acl is_forestdb ssl_fc_sni -i db.forest.deflax.net
acl is_osmap ssl_fc_sni -i map.deflax.net
# IP ACls
acl is_allowed src -f /usr/local/etc/haproxy/dballowed.acl
tcp-request connection reject if is_forestdb !is_allowed
tcp-request inspect-delay 2s
tcp-request content accept if { req_ssl_hello_type 1 }
http-request set-header X-Forwarded-Protocol https
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Ssl on
http-request set-header X-Url-Scheme https
http-request set-header Host %[ssl_fc_sni]
use_backend forestnet if is_forestnet
use_backend forestdb if is_forestdb