From 494c7da0a7347d2077967d9961f4f9f9e7b94aac Mon Sep 17 00:00:00 2001 From: thermionic Date: Mon, 22 Aug 2022 07:34:24 +0100 Subject: [PATCH] HAProxy split trustedProxy into secondary section mini explanation on when to use trustedProxy instead of tlsOffload --- docs/Example configs/haproxy-with-sni-sample.cfg | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/docs/Example configs/haproxy-with-sni-sample.cfg b/docs/Example configs/haproxy-with-sni-sample.cfg index 4fb3a8d7..a1f23cad 100644 --- a/docs/Example configs/haproxy-with-sni-sample.cfg +++ b/docs/Example configs/haproxy-with-sni-sample.cfg @@ -1,12 +1,10 @@ # Uses proxy protocol in HAProxy in combination with SNI to preserve the original host address # Update the config.json to work with HAProxy +# Specify the IP addrehostname that the traffic will come from HAProxy (this might not be the address that is bound to the listener) +# "tlsOffload": "10.1.1.10", # -# Specify the hostname and port that has the public certificate -# "tlsOffload": "https://mc.publicdomain.com:443", -# -# Specify the IP address of the HAProxy instance (this might not be the address that is bound to the listener). -# "TrustedProxy": "10.1.1.10", - +# Specify the HAPRoxy URL with the hostname to get the certificate +# "certUrl": "https://mc.publicdomain.com:443/" frontend sni-front bind 10.1.1.10:443 @@ -38,3 +36,9 @@ backend mc-back-HTTPS option http-server-close server mc-01 10.1.1.30:443 check port 443 verify none +# In the event that it is required to have TLS between HAProxy and Meshcentral, +# Remove the tls_Offload line and replace with trustedProxy +# Specify the IP addrehostname that the traffic will come from HAProxy (this might not be the address that is bound to the listener) +# "trustedProxy": "10.1.1.10", +# and change the last line of backend mc-back-HTTPS to use HTTPS by adding the ssl keyword +# server mc-01 10.1.1.30:443 check ssl port 443 verify none