#1 2014-05-31 08:28:31

deadlyllama
Member
Registered: 2014-05-31
Posts: 1

SNI based SSL

With modern HAProxy it should be possible to use SNI to direct IPv4 HTTPS traffic to the correct hosts.  This can be done by HAProxy without needing any SSL certs in HAProxy itself -- it can be configured to look at the SNI header and forward the connection on.

There's a special-purpose tool for doing this too called "sniproxy" but if you're already running HAProxy, using that makes sense.

Offline

#2 2014-05-31 18:29:23

mikho
Low End Mod
From: Hell and gore == Sweden
Registered: 2013-03-02
Posts: 1,298
Website

Re: SNI based SSL

SSL support with HA-Proxy is still in the dev branch and SNI support Is only available from the  nightly snapshots from 8th of April are compatible (with no bug knows) with it.


Not sure that nighly builds are good for a production service.

Offline

#3 2014-06-16 06:19:28

willie
Trusted Member
Registered: 2013-05-05
Posts: 405

Re: SNI based SSL

Note also there are still a lot of systems out there (including Windows XP) that don't recognize SNI and that will be around forever.  But for lots of uses SNI is fine, so it will be cool to have it.  Meanwhile running an SSL server on a high port number isn't that bad.  Heck, the certificate costs more than the LES server does.

Maybe it would be useful to just proxy SSL through an LES-wide certificate, hmm.  Or let's see, have a wildcard cert (private key managed by LES and not available to users) remoted from servers running on LES's.  There is some new code coming that will help with this.  I'll see if I can figure out details and explain more clearly if anyone cares.

Offline

#4 2014-06-16 11:01:38

mikho
Low End Mod
From: Hell and gore == Sweden
Registered: 2013-03-02
Posts: 1,298
Website

Re: SNI based SSL

When HAProxy supports ssl in a production release then it will be considered.

This has been discussed in the past and that was the reply then, don't think it changed now.

Offline

#5 2014-06-26 15:57:04

lhobas
Trusted Member
Registered: 2014-06-26
Posts: 24

Re: SNI based SSL

No use for this myself atm, but HAProxy reached non-alpha-beta 1.5.0 last week (there is a 1.5.1 already, even), so a production release with SNI SSL forwarding is now available.

Do have experience with sniproxy, works really well for quick geo-proxying (override dns record for a domain, set to server with sniproxy configured, and go). Also works for a ipv6-to-ipv4 usecase.

Offline

#6 2015-02-15 21:23:04

01
Member
Registered: 2015-02-13
Posts: 9

Re: SNI based SSL

+1 for SNI SSL forwarding when the relevant HAProxy is stable. I would certainly use this feature.

Related to this, but slightly off topic for this thread. gogetssl.com are selling $4.84 1 year SSL certificates which is the cheapest I've seen. The product is called "GGSSL Domain SSL" and is not advertised on the main page, but if you log into your account and view the full range it's there. I own a couple. I have not tested them too widely but they certainly work fine in recent Chrome and Firefox. I use them on my LES VPSs. I hope this is useful info for folks.

Offline

#7 2015-02-15 21:27:14

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,500
Website

Re: SNI based SSL

as soon as the SNI supporting haproxy version hits the stable repo for centos I will enable it smile


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#8 2015-02-15 21:30:13

01
Member
Registered: 2015-02-13
Posts: 9

Re: SNI based SSL

That's awesome. Thanks.

Offline

#9 2016-03-26 11:08:45

demeops
Trusted Member
Registered: 2016-03-26
Posts: 4

Re: SNI based SSL

And, how is the status?
I want to get a NAT VPS but I really need also SNI based SSL.
And please do not suggest me CloudFlare because I will not use them.

Last edited by demeops (2016-03-26 11:09:00)

Offline

#10 2016-03-26 11:13:27

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,500
Website

Re: SNI based SSL

I will have another look over the next few days and see what is possible.


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#11 2016-03-26 11:27:28

demeops
Trusted Member
Registered: 2016-03-26
Posts: 4

Re: SNI based SSL

I saw this screenshot in the topic 1152.
WjNuVMt.png

Maybe, there could be a 'Certificate' button on the left to the 'Remove' button. If there is a certificate uploaded, then the SSL port for the domain is forwarded. But it would be much easier, when also *.lowendspirit.com will be mapped for the domain lowendspirit.com, so that there is only one certificate to be handled per proxy domain entry.

Last edited by demeops (2016-03-26 11:28:09)

Offline

#12 2016-03-26 13:47:53

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,500
Website

Re: SNI based SSL

It's not quite that simple for the backend and requires assistance from others to properly integrate.


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#13 2016-03-26 14:34:33

demeops
Trusted Member
Registered: 2016-03-26
Posts: 4

Re: SNI based SSL

Which assistance is required? I do not see any obstacle why it should not work fully automated. How about using the SSL pass-through from HAProxy?

Last edited by demeops (2016-03-26 14:36:17)

Offline

#14 2016-03-26 14:48:20

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,500
Website

Re: SNI based SSL

demeops wrote:

Which assistance is required? I do not see any obstacle why it should not work fully automated. How about using the SSL pass-through from HAProxy?

Of course you don't see it, you don't run the back end and obviously have no idea what is required from my side, it is not the click of a button.


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#15 2016-03-26 15:51:31

demeops
Trusted Member
Registered: 2016-03-26
Posts: 4

Re: SNI based SSL

Why so angry? Do you have a bad day? Do you think I am not appreciating your work?
I am thinking about canceling all my contracts with InceptionHosting because of this…

Last edited by demeops (2016-03-26 15:53:57)

Offline

#16 2016-04-25 09:10:15

Neoon
Trusted Member
Registered: 2013-05-18
Posts: 161

Re: SNI based SSL

Any Updates?

Offline

#17 2016-04-25 10:21:54

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,500
Website

Re: SNI based SSL

Just waiting for DNS-01 to be fully implemented in to lets encrypt stable and I intend on adding a separate haproxy IP for SSL, from the end user perspective it will essentially be ssl on/off within solusvm.


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#18 2016-04-25 13:13:01

Neoon
Trusted Member
Registered: 2013-05-18
Posts: 161

Re: SNI based SSL

You mean ACME Support? However, it would be also neat if other Providers like RansomIT, GestionDBI and EvoBurst can roll this out at the same time.

Do you have any ETA?

Offline

#19 2016-04-25 13:44:22

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,500
Website

Re: SNI based SSL

Not right now sorry.


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#20 2016-09-27 01:41:16

zwv970
Trusted Member
Registered: 2016-01-30
Posts: 77

Re: SNI based SSL

5 months later - any updates?

Offline

#21 2016-09-27 10:03:28

Backtogeek
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 3,500
Website

Re: SNI based SSL

Updates are that sniproxy should be a direct swap out for ha proxy however because solusvm development is dead I have to find out how to sort that out myself on closed source software, it is on the radar.


http://LittleHappyCloud.net KVM VPS with 1TB Bandwidth for €3.00

Offline

#22 2016-09-27 10:03:42

Simonindia
Moderator and your buddy
From: India
Registered: 2015-06-05
Posts: 593

Re: SNI based SSL

There is a lot going on @David have done some new things with Let's encrypt the same will follow to rest of LES sooner it's just assumption.


Have a great day


Just trying my best to help. ♥ |
----------------------------------------------------------------------------------
“Remember to always be yourself. Unless you suck.” -Joss Whedon“Do what you can, with what you have, where you are.”-Theodore Roosevelt

Offline

Board footer