Different SSL certificates over single IP

Help!
1

Hi,

I have a few services I like to serve with HaProxy over 443.
The question is now with the TLS certificates. Normally I would issue individual certificates for each service. If I do this, I could have different frontends on different IPs listening on 443, but that seems impractical.

What I think I should do is the following: one TLS frontend (443) on a single IP without SSL termination, that based on SNI routes to other TLS frontends that do terminate SSL (listening on 127.0.0.1:443) and then those go back to the backend servers.

So kinda like this:

frontend master-tls
   bind 10.145.50.107:443
   mode tcp
   description           Master-TLS
   option                tcplog
   timeout client        3600s
   use_backend app01-tls { req.ssl_sni app01.company.net }
   use_backend app02-tls { req.ssl_sni app02.company.net }


frontend app01-tls
   bind 127.0.0.1:443 ssl crt /root/.vault/app01.company.net.pem ciphers ECDHE-RSA-AES256-SHA:-RC4-SHA:HIGH:!MD5:!aNULL:!EDH
   mode tcp
   description           Application 1 (TLS)
   option                tcplog
   
   default_backend app01-backend-http

frontend app02-tls
   bind 127.0.0.1:443 ssl crt /root/.vault/app02.company.net.pem ciphers ECDHE-RSA-AES256-SHA:-RC4-SHA:HIGH:!MD5:!aNULL:!EDH
   mode tcp
   description           Application 2 (TLS)
   option                tcplog

   default_backend app01-backend-http


backend app01-backend-http
   mode tcp 
   server app01-server-01 10.0.0.115:80

backend app02-backend-http
   mode tcp 
   server app01-server-01 10.0.0.116:80

Does this make sense and is this the correct approach?

2

I do this and have a write up about how I do it.

1 Like
3

Thanks for the reply. It seems that you are using once certificate for all internal services? Is that correct?
Ideally I would want for each services a different cert.

4
2 Likes
5

Thanks, just had some time to test this and it works.
Just leaving the important bits here for anyone else:

# Staging SSL Frontend
frontend Staging-SSL
  bind 10.145.50.108:443
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend proxyb-somename if { req_ssl_sni -i sub.domain.net }

# Staging Backends
backend proxyb-somename
    mode tcp
    server loopback-for-tls abns@company-had01 send-proxy-v2

# HTTPS - Frontend 01
frontend F01-SSL
  bind abns@nethavn-had01 accept-proxy ssl crt /root/.vault/sub.domain.net-1686501700.pem ciphers ECDHE-RSA-AES256-SHA:-RC4-SHA:HIGH:!MD5:!aNULL:!EDH
  mode http
  description          Some Services
  option                tcplog
  timeout client        3600s
  default_backend company-backend-01

  acl trusted_ip src 10.0.0.14 10.0.10.23
  http-request deny deny_status 403 if !trusted_ip

# Backend 01
backend company-backend-01
  mode http
  server b01server01 10.0.0.2:80

Adjust to your needs of course.

1 Like