Recentemente, consegui configurar o HAproxy.cfg para executar o HTTPS e o SSTP na mesma porta e posso reconhecer o tráfego de alguns sites pelo SNI. No entanto, como tenho vários domínios, eu preferiria reconhecer o SSTP e ter o HTTPS como default_backend. Como configurar o HAproxy com SSTP e HTTPS
Se eu comparar SSTP e HTTPS com tshark, vejo as seguintes diferenças:
HTTPS usando o endereço IP:
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
....
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 61
Extension: status_request (len=5)
Type: status_request (5)
Length: 5
Certificate Status Type: OCSP (1)
Responder ID list Length: 0
Request Extensions Length: 0
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: SessionTicket TLS (len=0)
Type: SessionTicket TLS (35)
Length: 0
Data (0 bytes)
Extension: supported_groups (len=8)
Type: supported_groups (10)
Length: 8
Supported Groups List Length: 6
Supported Groups (3 groups)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
Supported Group: secp521r1 (0x0019)
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: signature_algorithms (len=22)
...
HTTPS usando nome de domínio:
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
....
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 331
Extension: status_request (len=5)
Type: status_request (5)
Length: 5
Certificate Status Type: OCSP (1)
Responder ID list Length: 0
Request Extensions Length: 0
Extension: server_name (len=26)
Type: server_name (0)
Length: 26
Server Name Indication extension
Server Name list length: 24
Server Name Type: host_name (0)
Server Name length: 21
Server Name: www.example.com
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: SessionTicket TLS (len=0)
Type: SessionTicket TLS (35)
Length: 0
Data (0 bytes)
Extension: supported_groups (len=8)
Type: supported_groups (10)
Length: 8
Supported Groups List Length: 6
Supported Groups (3 groups)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
Supported Group: secp521r1 (0x0019)
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: signature_algorithms (len=22)
...
SSTP:
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
....
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 45
Extension: SessionTicket TLS (len=0)
Type: SessionTicket TLS (35)
Length: 0
Data (0 bytes)
Extension: signature_algorithms (len=22)
...
Extension: heartbeat (len=1)
Type: heartbeat (15)
Length: 1
Mode: Peer allowed to send requests (1)
Existe uma maneira na sintaxe haproxy.cfg de verificar o Tipo de status do certificado: OCSP ou Extensão: heartbeat ?
Quebrou essa também.
Ao procurar apenas pela presença de um SNI, não preciso listar todos os domínios, e posso tolerar a falha dos endereços IPv4.
frontend main 192.168.0.3:443 ssl
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type }
use_backend websites if { req_ssl_sni -m found }
default_backend sstp
Eu finalmente encontrei a documentação da sintaxe em link
Tags https linux-networking haproxy sstp