acutealex Posted August 3, 2020 Report Share Posted August 3, 2020 Has anyone been able / knows if its possible to put a reverse proxy in front of Plastic SCM and direct to the proper servers based off hostname/SNI? E.g. A DNS record for *.plastic.example.com directs you to a static IP address where a reverse proxy is served. ssl://repo-1.plastic.example.com:8088 -> ssl://repo-1:8088 (internal) ssl://repo-2.plastic.example.com:8088 -> ssl://repo-2:8088 (internal) I believe the ssl connection contains a Server Name Indicator (SNI) so I think it should be possible? Link to comment Share on other sites More sharing options...
acutealex Posted August 3, 2020 Author Report Share Posted August 3, 2020 So it seems this is possible with haproxy though its fiddly/brittle: # Adjust the timeout to your needs defaults timeout client 30s timeout server 30s timeout connect 5s log stdout format raw local0 # Single VIP frontend ft_ssl_vip bind *:8088 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } default_backend bk_ssl_default # Using SNI to take routing decision backend bk_ssl_default mode tcp # replace plastic.example.com with desired hostname acl application_1 req_ssl_sni -i plastic.example.com use-server server1 if application_1 option ssl-hello-chk # replace XXX.XXX.XXX.XXX with internal ip server server1 XXX.XXX.XXX.XXX:8088 check 1 Link to comment Share on other sites More sharing options...
calbzam Posted August 10, 2020 Report Share Posted August 10, 2020 Thanks for the update! Carlos. Link to comment Share on other sites More sharing options...
Xavier Posted December 4, 2022 Report Share Posted December 4, 2022 Thank you @acutealex! I've managed to get this working using HAProxy on pfSense. Here are two screenshots showing my configuration, in case someone else might need it. Compared to the previous solution in this thread, I am doing SSL offloading at the frontend. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now