All domains over http except for one


#1

Hi,
I have a new issue now in that I have 86 domains and they all run on http only. I have a new domain that runs on https.
All of these domains start with a sub domain eg home.domain.com, home.domain1.com, home.domain2.com, etc
If a user types home.domain.com it forces over https which is correct and home.domain1.com does work over http, but if a user types home.domain1.com over https I get an invalid certificate error. I do get this because domain1.com does not have a certificate, but it seems as though it wants to apply home.domain.com 's certificate to all the other domains. I tried the following code in my https section, but does not seem to work:

acl homedot hdr_beg(host) -i home.
acl mainhome hdr(host) -i home.domain.com
redirect scheme http if homedot { ssl_fc } !mainhome

Any help would be appreciated.
Regards


#2

With http/https SSL negotiation happens before http headers are transmitted. Going to one of the “other” domains (domain1.com, domain2.com, …) with https will start the SSL negotiation and fail because you do not have a valid certificate for them. HTTP redirects happen after SSL negotiation is complete. Here are a couple of options.

  1. You could use two different frontends. One for SSL enabled domains and one for domains which do not have SSL. This would require that you have multiple IP addresses. This way you can use SNI to load multiple certificates so that the SSL negotiation happens correctly.

  2. If you happen to be hosted in Amazon AWS, they will generate free certificates as long as you terminate SSL at their load balancer. The load balancer costs a flat rate of $18 per month plus traffic/usage. We use this option and have several hundred domains with dozens of wildcard ssl certificates. We terminate SSL at AWS ec2 ELBs and then send traffic to a set of haproxy load balancers. The SSL certs are “trusted” by basically everything (including java). We have millions of end users using our product with no issues.


#3

Hi dtorgo, that make sense, thanx for that. No we do not use AWS. I addd a second IP and set up HAP to listen on port 443 on the new IP but with no cert. Then I just added the acl after that.

Awesome, thank you.
Regards