The "use-server" statement works both in HTTP and TCP mode. This makes it
suitable for use with content-based inspection. For instance, a server could
- be selected in a farm according to the TLS SNI field. And if these servers
- have their weight set to zero, they will not be used for other traffic.
+ be selected in a farm according to the TLS SNI field when using protocols with
+ implicit TLS (also see "req_ssl_sni"). And if these servers have their weight
+ set to zero, they will not be used for other traffic.
Example :
# intercept incoming TLS requests based on the SNI field
use-server www if { req_ssl_sni -i www.example.com }
server www 192.168.0.1:443 weight 0
use-server mail if { req_ssl_sni -i mail.example.com }
- server mail 192.168.0.1:587 weight 0
+ server mail 192.168.0.1:465 weight 0
use-server imap if { req_ssl_sni -i imap.example.com }
server imap 192.168.0.1:993 weight 0
# all the rest is forwarded to this server
contains data that parse as a complete SSL (v3 or superior) client hello
message. Note that this only applies to raw contents found in the request
buffer and not to contents deciphered via an SSL data layer, so this will not
- work with "bind" lines having the "ssl" option. SNI normally contains the
- name of the host the client tries to connect to (for recent browsers). SNI is
- useful for allowing or denying access to certain hosts when SSL/TLS is used
- by the client. This test was designed to be used with TCP request content
- inspection. If content switching is needed, it is recommended to first wait
- for a complete client hello (type 1), like in the example below. See also
- "ssl_fc_sni".
+ work with "bind" lines having the "ssl" option. This will only work for actual
+ implicit TLS based protocols like HTTPS (443), IMAPS (993), SMTPS (465),
+ however it will not work for explicit TLS based protocols, like SMTP (25/587)
+ or IMAP (143). SNI normally contains the name of the host the client tries to
+ connect to (for recent browsers). SNI is useful for allowing or denying access
+ to certain hosts when SSL/TLS is used by the client. This test was designed to
+ be used with TCP request content inspection. If content switching is needed,
+ it is recommended to first wait for a complete client hello (type 1), like in
+ the example below. See also "ssl_fc_sni".
ACL derivatives :
req_ssl_sni : exact string match