# Uses proxy protocol in HAProxy in combination with SNI to preserve the original host address # Update the config.json to work with HAProxy # Specify the IP addrehostname that the traffic will come from HAProxy (this might not be the address that is bound to the listener) # "tlsOffload": "10.1.1.10", # # Specify the HAPRoxy URL with the hostname to get the certificate # "certUrl": "https://mc.publicdomain.com:443/" frontend sni-front bind 10.1.1.10:443 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } default_backend sni-back backend sni-back mode tcp acl gitlab-sni req_ssl_sni -i gitlab.publicdomain.com acl mc-sni req_ssl_sni -i mc.publicdomain.com use-server gitlabSNI if gitlab-sni use-server mc-SNI if mc-sni server mc-SNI 10.1.1.10:1443 send-proxy-v2-ssl-cn frontend mc-front-HTTPS mode http option forwardfor bind 10.1.1.10:1443 ssl crt /etc/haproxy/vm.publicdomain.net.pem accept-proxy http-request set-header X-Forwarded-Proto https option tcpka default_backend mc-back-HTTP backend mc-back-HTTPS mode http option forwardfor http-request add-header X-Forwarded-Host %[req.hdr(Host)] option http-server-close server mc-01 10.1.1.30:443 check port 443 verify none # In the event that it is required to have TLS between HAProxy and Meshcentral, # Remove the tls_Offload line and replace with trustedProxy # Specify the IP addrehostname that the traffic will come from HAProxy (this might not be the address that is bound to the listener) # "trustedProxy": "10.1.1.10", # and change the last line of backend mc-back-HTTPS to use HTTPS by adding the ssl keyword # server mc-01 10.1.1.30:443 check ssl port 443 verify none