Bind crt certificate limits?


#1

Is there a limit to the number of SSL certificates that can be placed on the bind ssl line?

We are using Let’s Encrypt and would like to put a lot of .pem certificates on domains.

I would much prefer a better way to break this out in the configuration files. I already have seperate configuration files for each of our 3 large services but having several hundred sites with seperate .pem files on the bind line is going to get hard to manage.

Also are lines like this…

redirect scheme https if { hdr(Host) -i www.example.com } !{ ssl_fc }

Hard on HAProxy even having several hundred of them?

HAProxy 1.7.9


#2

You can point to a directory instead of single certificates, and haproxy will load all certificates in that directory.

That way, your configuration remains lean and clean, even if you have tens of thousands of certificates.

As always, a quick look into the documentation provides all the details:
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt

If that’s not enough and you need specific SNI -> PEM mappings, you can put your mappings into a crt-list, and for more details on that you can again check out the documentation:
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt-list

And you can put those into a file as well, checkout the -f parameter in ACLs:
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7.1

No, not unless you have ridiculously small amounts of RAM.


#3

Wow fast and complete accurate and to the point answers thank you!


#4

The more certs you have, though, the longer it can take to start up haproxy. Especially if they are stored on a network drive.