I’ve been struggling with something, and want to make sure I’m not missing something simple. I don’t think this can be done, but would like confirmation.
I have one Apache server with multiple VirtualHost configs:
<VirtualHost *:443>
ServerName api-test-haproxy.neatoserver.lan
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/api-test-haproxy.neatoserver.lan.crt
SSLCertificateKeyFile /etc/pki/tls/private/api-test-haproxy.neatoserver.lan.key
DocumentRoot /var/www/api-test-haproxy.neatoserver.lan
<Directory /var/www/api-test-haproxy.neatoserver.lan>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName api2-test-haproxy.neatoserver.lan
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/api2-test-haproxy.neatoserver.lan.crt
SSLCertificateKeyFile /etc/pki/tls/private/api2-test-haproxy.neatoserver.lan.key
DocumentRoot /var/www/api2-test-haproxy.neatoserver.lan
<Directory /var/www/api2-test-haproxy.neatoserver.lan>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
</Directory>
</VirtualHost>
Going to https://api-test-haproxy.neatoserver.lan shows the proper api-test site and files, and going to https://api2-test-haproxy.neatoserver.lan shows the other site and files. All good on the Apache side of things.
Now I want to bring HAProxy into the mix, and get another server for HA-ing the sites. Update my DNS names to point the CNAME to the HAProxy VIP, and configure HAProxy like so:
defaults
mode http
balance source
log global
option httplog
frontend front_https
bind *:443 ssl crt /etc/haproxy/certs/
option forwardfor except 127.0.0.0/8
use_backend back_api if { ssl_fc_sni api-test.neatoserver.lan }
use_backend back_api2 if { ssl_fc_sni api2-test.neatoserver.lan }
backend back_api
server api-01 api-01.neatoserver.lan:443 check ssl verify none
server api-02 api-02.neatoserver.lan:443 backup check ssl verify none
backend back_api2
server api2-01 api-01.neatoserver.lan:443 check ssl verify none
server api2-02 api-02.neatoserver.lan:443 backup check ssl verify none
Going to https://api-test-haproxy.neatoserver.lan still shows the proper api-test site and files for api, but now going to https://api2-test-haproxy.neatoserver.lan is broken and incorrectly shows the sites and files for api-test-haproxy.neatoserver.lan. It would appear that HAProxy doesn’t pass SNI to the proper VirtualHost.
Only option I’ve found to get this to work through HAProxy, is defining a separate port for the VirtualHost(s) config. Like this:
Listen 8443
<VirtualHost *:8443>
ServerName api-test-haproxy.neatoserver.lan
Listen 8444
<VirtualHost *:8444>
ServerName api2-test-haproxy.neatoserver.lan
And then updating HAProxy to use the separate ports for the specified sites:
backend back_api
server api-01 api-01.neatoserver.lan:8443 check ssl verify none
server api-02 api-02.neatoserver.lan:8443 backup check ssl verify none
backend back_api2
server api2-01 api-01.neatoserver.lan:8444 check ssl verify none
server api2-02 api-02.neatoserver.lan:8444 backup check ssl verify none
Is this correct? Is this the only way to get HAProxy to work with multiple VirtualHost on the same server?
Thanks!
Danny