On Tue, Mar 27, 2012 at 21:35, Michal Trojnara Michal.Trojnara@mirt.net wrote:
yyy wrote:
What does server log says? Is it accepting connection at https_one? (I had a similar problem, server worked as expected (at least when connecting from openssl s_client), but client did not appear to support sni).
Great reply. Some debug logs might indeed be useful.
Right. I assumed this is a known issue.
Also "proxy" protocol is implemented before SSL protocol negotiation. The option should be supplied in the master (accepting) service.
Good to know. Even better if that was documented somewhere :)
Extract from my config:
[https_default] accept = 443 protocol = proxy connect = 10443 TIMEOUTclose = 0 session = 86400 cert = xxx.crt key = xxx.key
[https_yyy] sni = https_default:yyy.xxx.org connect = 10442 TIMEOUTclose = 0 session = 86400 cert = yyy.crt key = yyy.key
Haproxy listens on 10443, nobody listens on 10442.
Connecting to yyy.xxx.org, I would expect it to be closed/refused/dropped as nobody is listening on 10442, but instead:
2012.03.29 15:04:24 LOG5[22022:3076066080]: stunnel 4.52 on i686-pc-linux-gnu platform 2012.03.29 15:04:24 LOG5[22022:3076066080]: Compiled/running with OpenSSL 1.0.1 14 Mar 2012 [...] 2012.03.29 15:00:54 LOG7[21966:3076729632]: Service https_default accepted FD=17 from aaa:56413 2012.03.29 15:00:54 LOG7[21966:3076373360]: Service https_default started 2012.03.29 15:00:54 LOG5[21966:3076373360]: Service https_default accepted connection from aaa:56413 2012.03.29 15:00:54 LOG6[21966:3076373360]: connect_blocking: connecting 127.0.0.1:10443 2012.03.29 15:00:54 LOG7[21966:3076373360]: connect_blocking: s_poll_wait 127.0.0.1:10443: waiting 10 seconds 2012.03.29 15:00:54 LOG5[21966:3076373360]: connect_blocking: connected 127.0.0.1:10443 2012.03.29 15:00:54 LOG5[21966:3076373360]: Service https_default connected remote server from 127.0.0.1:53832 2012.03.29 15:00:54 LOG7[21966:3076373360]: Remote FD=18 initialized 2012.03.29 15:00:54 LOG6[21966:3076373360]: Server-mode proxy protocol negotiations started 2012.03.29 15:00:54 LOG7[21966:3076373360]: -> PROXY TCP4 aaa bbb 56413 443 2012.03.29 15:00:54 LOG6[21966:3076373360]: Server-mode proxy protocol negotiations succeeded 2012.03.29 15:00:54 LOG5[21966:3076373360]: SNI: switched to section https_yyy
So, 'connect' option in the slave service seems to be ignored, and stunnel happily connects to 10443.
Also, slave / SNI seems to be working otherwise as the browser doesn't complain about bad certificate for yyy.xxx.org.
Marek