HAProxy community

HAProxy, single domain name, multiple subdomains with SSL


#1

I am trying to setup a farm of servers to serve the same website across all the servers, including the subdomains. I posted my example configuration below.

When tested it seemed to allow for the main website to be loaded, but anytime the subdomains were accessed it would just redirect to the main domain’s content. Is there a way using the configuration I have below, or some other configuration, and I can accomplish the goal of having say 4 servers, all serving the same root domain and subdomains, while still utilizing an SSL certificate for all traffic? Each website also contains a 301 redirect to HTTPS to enforce the use of SSL.

global
        log 127.0.0.1   local0
        log 127.0.0.1   local1 notice
        maxconn 4096
        user haproxy
        group haproxy
        daemon

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option forwardfor
        option http-server-close
        stats enable
        stats auth admin:Password!
        stats uri /haproxyStats

frontend http-in
        bind *:80

        # Define hosts
        acl host_website_hdr(host) -i domain.com 
        acl host_website_hdr(host) -i c.domain.com
        acl host_website_hdr(host) -i s.domain.com
        acl host_website_hdr(host) -i i.domain.com 
        acl host_website_hdr(host) -i e.domain.com

        ## figure out which one to use
        use_backend website if host_website
        use_backend website if host_website
        use_backend website if host_website
        use_backend website if host_website
        use_backend website if host_website

backend website
        balance leastconn
        option httpclose
        option forwardfor
        cookie JSESSIONID prefix
        server node1 10.5.0.10 cookie A check
        server node2 10.5.0.11 cookie A check
        server node3 10.5.0.12 cookie A check
        server node4 10.5.0.13 cookie A check
        server node5 10.5.0.14 cookie A check

#2

Haproxy does not redirect anything in this configuration. Likely your backend server are redirecting. Why that is, is a question that needs to be looked at from the application perspective. Nothing fancy that haproxy does here.

The configuration you posted doesn’t make a lot of sense though, are you sure that’s what you are really using? You don’t need multiple use_backend that are exactly the same. Once suffices. Also since you don’t have multiple backends, default_backend probably suffices.

All the SSL questions can be answered when you explain how you would like to set that up. Are the backend servers terminating SSL, or haproxy? Where are the certificates installed?


#3

I would prefer that SSL be terminated by HAProxy. (For testing I’m using Lets Encrypt)
The configuration I have posted is just an example. It’s not something I’m using in a production (or testing) environment.

Essentially, I have 3 servers configured in a network, each has two interfaces:
server1 10.5.0.10, 10.5.0.11
server2 10.5.0.12, 10.5.0.13
server3 10.5.0.14, 10.5.0.15

All of these servers and HAProxy will only serving domain.com. Subdomains are also housed on the same servers (10.5.0.10 - 15), but with my previous configuration (this is my second attempt) only displayed the main website (domain.com) for every subdomain. For example, images.domain.com is replicated by the servers and should also be handled by HAProxy. But images.domain.com, displayed the document root for domain.com, and not images.domain.com.

I am new to HAProxy, if there is a configuration that would fit what I am trying to accomplish better than what I posted, please let me know. Configuration examples would be a great resource if you have any. If that makes more sense. Which I hope it does.


#4

Remove option http-server-close from the defaults and option httpclose from the backend. They just disable keep-alive which makes no sense, unless you had a reason to put them there.

SSL configuration in haproxy is fairly straightforward, checkout examples/ssl.cfg and the Mozilla SSL Configuration Generator for suggestions about how to do it securely.

Just avoid redirecting to SSL from the backend applications (do it in haproxy instead using redirect scheme), otherwise you backend start redirecting to HTTPS endlessly because they don’t know that haproxy actually terminates SSL (you’d have to set a HTTP header like X-Forwarded-Proto on haproxy, and make the application understand it).

If you want cookie persistence (do you?), you need to set each server to a different cookie value, otherwise it makes no sense. In your specific case you could set the same cookie for the other NIC of the same server, that should be fine.

        server server1-nic1 10.5.0.10 cookie A check
        server server1-nic2 10.5.0.11 cookie A check
        server server2-nic1 10.5.0.12 cookie B check
        server server2-nic2 10.5.0.13 cookie B check
        server server3-nic1 10.5.0.14 cookie C check
        server server3-nic2 10.5.0.15 cookie C check

That’s your backend server’s domain, haproxy does not know anything about this. You need to look there for fixes. Also, actually test your backend servers directly.


#5

I’m unsure what you mean? There is no way using the domain the browser requests that I can pass the host header of images.domain.com on to the server from HAProxy?

The virtual hosts for each subdomain already exist in apache, and point to the correct document root, and the bind server that handles DNS is pointing to the public IP address of the HAProxy server. So the servers are already setup to serve the pages based on the domain names that are requested. HAProxy is only sending the root domain though (or at least I suspect) which is why it’s only displaying the root website, and not the sub-domains.

Correct me if I’m wrong. Which I may be, since I am new to HAProxy.


#6

It’s very simple: your browser sets the Host header to images.domain.com. Haproxy passes the requests as-is to the backend server, which, if configured correctly, based on the Host header which is set to images.domain.com, serves the correct root.

No, haproxy won’t touch the Host header send by the browser. Unless you configure haproxy to overwrite the Host header, but that’s not what you configured.

Again test your backend servers directly, without going through haproxy.