HAProxy community

Changing SSL configuration for a single domain / single certificate

Hi Everybody,

Thank you very much for HAProxy and this forum ;-).

I successfully configured multiple domains with multiple certs (requires SNI / Server Name Indication).

frontend config looks like this:

frontend prt-http
        mode http
        option httplog
        bind *:80
        bind *:443 ssl crt /cert/firstdomain.com.pem crt /cert/seconddomain.com.pem crt /cert/thirddomain.com.pem
        option forwardfor

		# and then ACLs for different domains

I tested how to change SSL configuration for everything by for example adding this into global:

        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

And I also tested adding extra configuration to the line with certificates:

bind *:443 ssl crt /cert/firstdomain.com.pem crt /cert/seconddomain.com.pem crt /cert/thirddomain.com.pem no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

But that changes configuration globally / for all certificates / domains. I need to change SSL config for a single domain.

Could you please tell me is there a way how to change configuration for a single certificate (single domain) without need for another public IP?

I know I can do that by adding another frontend. The problem is that I’d need two public IP addresses so I can bind first frontend to bind and second to bind but adding another IP is a problem at this moment and I’d rather avoid it if possible.

Thank you.

Kind regards,
Ben H.


you can use crt-list for that.

crt-list file example:
      # comment
      cert2.pem [alpn h2,http/1.1]
      certW.pem                   *.domain.tld !secure.domain.tld
      certS.pem [curves X25519:P-256 ciphers ECDHE-ECDSA-AES256-GCM-SHA384] secure.domain.tld
1 Like

Thank you very much Jerome. I’ve just tested following crt-file:

/certs/first.com.pem                          first.com   *.first.com
/certs/second.com.pem                         second.com  *.second.com
/certs/third.com.pem   [ssl-min-ver TLSv1.2]  third.com   *.third.com

And it’s working great ;-). Site first.com and second.com support old TLS but third.com does not. Thank you.