Plastic behind reverse proxy

[acutealex]

Has anyone been able / knows if its possible to put a reverse proxy in front of Plastic SCM and direct to the proper servers based off hostname/SNI?

E.g.

A DNS record for *.plastic.example.com directs you to a static IP address where a reverse proxy is served.

ssl://repo-1.plastic.example.com:8088 -> ssl://repo-1:8088 (internal)

ssl://repo-2.plastic.example.com:8088 -> ssl://repo-2:8088 (internal)

I believe the ssl connection contains a Server Name Indicator (SNI) so I think it should be possible? 

[acutealex]

So it seems this is possible with haproxy though its fiddly/brittle:

# Adjust the timeout to your needs
defaults
  timeout client 30s
  timeout server 30s
  timeout connect 5s
  log stdout format raw local0

# Single VIP
frontend ft_ssl_vip
  bind *:8088
  mode tcp

  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }

  default_backend bk_ssl_default

# Using SNI to take routing decision
backend bk_ssl_default
  mode tcp

  # replace plastic.example.com with desired hostname
  acl application_1 req_ssl_sni -i plastic.example.com

  use-server server1 if application_1

  option ssl-hello-chk
  # replace XXX.XXX.XXX.XXX with internal ip
  server server1 XXX.XXX.XXX.XXX:8088 check

 

[calbzam]

Thanks for the update!

Carlos.

[Xavier]

Thank you @acutealex!
I've managed to get this working using HAProxy on pfSense.

Here are two screenshots showing my configuration, in case someone else might need it.
Compared to the previous solution in this thread, I am doing SSL offloading at the frontend.