mirror of
https://github.com/haproxy/haproxy.git
synced 2026-03-06 07:10:43 -05:00
e51fab0a4a
HAProxy uses CN and SAN of the certificates to match incoming SNI, and use the matching certificate in the TLS handshake. `crt-list` goes further and allows to configure SNI filters to explicitly define the FQDNs that should match a certificate. The first declared certificate of the `crt-list` option follows the same rules, and it's also used as a fallback - the certificate that should be used if SNI isn't provided or the provided one cannot match any certificate or SNI filter. If a provided SNI matches the CN or SAN of the first certificate, the first certificate would be used even if a matching SNI filter is declared later. This change clarifies this scenario and documents a filter that can be used to convert the first declared certificate as a proper fallback. Should be merged as far as the first SNI filter implementation. |
||
|---|---|---|
| .. | ||
| design-thoughts | ||
| internals | ||
| lua-api | ||
| 51Degrees-device-detection.txt | ||
| acl.fig | ||
| architecture.txt | ||
| close-options.txt | ||
| coding-style.txt | ||
| configuration.txt | ||
| cookie-options.txt | ||
| DeviceAtlas-device-detection.txt | ||
| gpl.txt | ||
| haproxy.1 | ||
| intro.txt | ||
| lgpl.txt | ||
| linux-syn-cookies.txt | ||
| lua.txt | ||
| management.txt | ||
| netscaler-client-ip-insertion-protocol.txt | ||
| network-namespaces.txt | ||
| peers-v2.0.txt | ||
| peers.txt | ||
| proxy-protocol.txt | ||
| queuing.fig | ||
| regression-testing.txt | ||
| seamless_reload.txt | ||
| SOCKS4.protocol.txt | ||
| SPOE.txt | ||
| WURFL-device-detection.txt | ||