I've recently managed to configure HAproxy.cfg to run HTTPS and SSTP on the same port, and can recognise some website traffic by SNI. However, as I have multiple domains I would prefer to recognise SSTP and have HTTPS as the default_backend. How to configure HAproxy with SSTP and HTTPS
If I compare SSTP and HTTPS with tshark, I see the following differences:
HTTPS using IP address:
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
....
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 61
Extension: status_request (len=5)
Type: status_request (5)
Length: 5
Certificate Status Type: OCSP (1)
Responder ID list Length: 0
Request Extensions Length: 0
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: SessionTicket TLS (len=0)
Type: SessionTicket TLS (35)
Length: 0
Data (0 bytes)
Extension: supported_groups (len=8)
Type: supported_groups (10)
Length: 8
Supported Groups List Length: 6
Supported Groups (3 groups)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
Supported Group: secp521r1 (0x0019)
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: signature_algorithms (len=22)
...
HTTPS using domainname:
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
....
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 331
Extension: status_request (len=5)
Type: status_request (5)
Length: 5
Certificate Status Type: OCSP (1)
Responder ID list Length: 0
Request Extensions Length: 0
Extension: server_name (len=26)
Type: server_name (0)
Length: 26
Server Name Indication extension
Server Name list length: 24
Server Name Type: host_name (0)
Server Name length: 21
Server Name: www.example.com
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: SessionTicket TLS (len=0)
Type: SessionTicket TLS (35)
Length: 0
Data (0 bytes)
Extension: supported_groups (len=8)
Type: supported_groups (10)
Length: 8
Supported Groups List Length: 6
Supported Groups (3 groups)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
Supported Group: secp521r1 (0x0019)
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: signature_algorithms (len=22)
...
SSTP:
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
....
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 45
Extension: SessionTicket TLS (len=0)
Type: SessionTicket TLS (35)
Length: 0
Data (0 bytes)
Extension: signature_algorithms (len=22)
...
Extension: heartbeat (len=1)
Type: heartbeat (15)
Length: 1
Mode: Peer allowed to send requests (1)
Is there a way in the haproxy.cfg syntax to check for Certificate Status Type: OCSP or Extension: heartbeat ?
