On 11/20/20 1:52 PM, Howard Chu wrote:
Paul B. Henson wrote:
On 11/19/2020 1:37 PM, Howard Chu wrote:
This would require that you actually read and process the proxy header immediately after the accept call. It strikes me that this is the wrong thing to do, if you also want to support TLS.
Unless I'm misunderstanding the specification, that is the only way it would work. The TLS negotiation, barring TLS interception by the proxy, is between the client and the backend server, not between the proxy and the backend server.
Yes, I understand that any TLS session initiated by the client is only between the client and the proxy server.
No, this is not necessarily the case. HA proxy can act as application-level proxy for some protocols (IIRC HTTP and SMTP) or as a TCP relay.
Paul mentioned the latter case where slapd is the TLS server end-point also from the client's perspective and HA proxy does *not* break up TLS connection.
Ciao, Michael.