HAProxy community

How to remove www from all requests so wildcard SSL for *.exmaple.com will work for www.client1.example.com?


#1

Hi All,

I’m using HAProxy 1.8.8 on Ubuntu in front of my IIS web servers to load balance and bind SSL certificates. So far so good on this.

The problem is that our wildcard SSL certs will not cover “www.myclient1.example.com” but only “client1.example.com” (wildcard ssl cert does not cover the www part, only *.TLD).

There’s too many subdomains to get get a SSL cert for each www.client(#).example.com.

So I need to remove the www part before HAProxy binds to the SSL cert. How do I accomplish this?
HAProxy is also binding to other domains which also needs the www part removed.

Thanks in advance for your help!
Victor


#2

What does “before HAProxy binds to the SSL cert” mean? plain-text HTTP on port 80?

I suggest you share your current configuration first of all, so that we know what we are working with.


#3

Hi lukastribus,

Firstly, thanks for your offer to help.

Note for below. I had to replace the dot with underscores as forum wouldn’t allow me to post more than 2 links.

What I mean’t was to say I just wanted to strip the www from all requests (eg. www_client1_example.com) so a wildcard SSL cert for (wildcard)_example_com would work (before SSL handshake). The wildcard cert will cover client1_example_com but not www_client1_example_com. Not feasible to acquire each and every SSL cert (even if free from Let’s Encrypt) for each sub domain.

I hope this makes sense.

Victor

global
        log /dev/log    local0
        log /dev/log    local1 notice
#       chroot /var/lib/haproxy
        chroot /etc/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
        maxconn 50000
        tune.ssl.default-dh-param 2048
        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private
        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3
        lua-load /etc/haproxy/acme-http01-webroot.lua

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
   option forwardfor
   option http-server-close

frontend www-http
        maxconn 50000
        bind 10.250.50.100:80
        reqadd X-Forwarded-Proto:\ http

# Rule to redirect to Lua plugin
        acl url_acme_http01 path_beg /.well-known/acme-challenge/
        http-request use-service lua.acme-http01 if METH_GET url_acme_http01

# Use the special non http to https forwarding backend if traffic from Let's Encrypt
        use_backend verification if url_acme_http01
        default_backend www-backend

frontend www-https
        maxconn 50000
	bind 10.250.50.100:443 ssl crt /etc/haproxy/certs/churchwebsitesplus.com.pem  crt /etc/haproxy/certs/completewebpagedesign.com.pem  crt /etc/haproxy/certs/dynamicdemo11.com.pem  	crt /etc/haproxy/........(many many more....)

        reqadd X-Forwarded-Proto:\ https
        default_backend www-backend

backend verification # does not redirect to https to allow verification to work with Let's Encrypt without errors
        option httpchk GET /
        http-check expect string alive
        server web1 10.250.30.1:80 check fall 3 rise 2
        server wwb2 10.250.30.2:80 check fall 3 rise 2
        server web3 10.250.30.3:80 check fall 3 rise 2
        server web4 10.250.30.4:80 check fall 3 rise 2
        server web5 10.250.30.5:80 check fall 3 rise 2
        server web6 10.250.30.6:80 check fall 3 rise 2
        server web7 10.250.30.7:80 check fall 3 rise 2
        server web8 10.250.30.8:80 check fall 3 rise 2
        server web9 10.250.30.9:80 check fall 3 rise 2
        server web10 10.250.30.10:80 check fall 3 rise 2

backend www-backend
        option httpchk GET /
        http-check expect string alive
#       redirects to https below if http traffic is hitting the frontend
        redirect scheme https if !{ ssl_fc }   # redirects https
        server web1 10.250.30.1:80 check fall 3 rise 2
        server web2 10.250.30.2:80 check fall 3 rise 2
        server web3 10.250.30.3:80 check fall 3 rise 2
        server web4 10.250.30.4:80 check fall 3 rise 2
        server web5 10.250.30.5:80 check fall 3 rise 2
        server web6 10.250.30.6:80 check fall 3 rise 2
        server web7 10.250.30.7:80 check fall 3 rise 2
        server web8 10.250.30.8:80 check fall 3 rise 2
        server web9 10.250.30.9:80 check fall 3 rise 2
        server web10 10.250.30.10:80 check fall 3 rise 2


listen stats
        bind :9000
        mode http
        stats enable
        stats hide-version
        stats show-node
        stats realm HAproxy-Statistics
        stats uri /haproxy_stats
        stats auth admin:**********
        stats refresh 5s

#5

I found this regex sample that would strip the www in the URI but how to implement in the config…

https://regex101.com/r/aQ3jU3/4


#6

You can only do it for HTTP, because in HTTPS, it is already to late (the certificate error is already there). Try this solution from chomps:

You’d put this in www-backend. However I have not tested this personally and I am not sure at this point if the redirect really considers the already rewritten host header. Try it.