I'm using a MikroTik router with SSTP, and I have a Fedora server running httpd with HTTP and HTTPS, but I only have a single IPv4 address from my ISP.
I currently have SSTP working on port 444, but I need to move it to port 443 to bypass the Great Firewall (recently the Chinese government started blocking PPTP so I want to hide fully on port 443).
I have found documents about SNI load balancing for HAproxy but I haven't got it working yet e.g. https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
Here is my setup (edited 5th July 2018 22:20 CET)
frontend main 192.168.0.3:443 ssl ca-cert /etc/pki/tls/certs/sstp.crt
use_backend sstp if { ssl_fc_sni sstp.mydoamin.com }
use_backend websites if { ssl_fc_sni www.mydomain.com }
default_backend websites
backend websites
mode tcp
balance roundrobin
server www 127.0.0.1:443 check
backend sstp
mode tcp
balance roundrobin
server router 192.168.0.1:444 ca-cert /etc/pki/tls/certs/sstp.crt
After editing the backend to include ca-cert I can get sstp to connect when I change the default_backend to sstp
haproxy -d doesn't give me much debug info. I'm not familiar enough with the syntax to get SNI working, but I'm making progress ...
Just tried the exact syntax from the example, and that doesn't work either
frontend main 192.168.0.3:443 ssl ca-cert /etc/pki/tls/certs/sstp.crt
use_backend sstp if { ssl_fc_sni sstp.example.com }
acl application_1 req_ssl_sni -i sstp.example.com
use_backend sstp if application_1
default_backend websites