I read that multiple line of the same IP_address:port is “allowed but incorrect”, here in this question.
However I find no pointers to the documentations, so I’ll explain what I would like to do see how this can be best configured (I have ideas that are too inelegant* to be the right way).
Topology:
Internet
|
Firewall (1 pubilc IP address)
|
LAN switch ------- HAproxy
| … |
be_a … be_z
I already configured many subdomains a.example.com … z.example.com who share the same letsencrypt certificate with ssl termination in the unique same frontend.
I need to add a new backend be_AA responding to domain AA.example.com, but I need the ssl termination to be performed on the back-end side.
I added a new front-end AA, before the existing one a-to-z:
frontend http-in-AA
bind AA.example.com:443
use_backend be_AA
frontend http-in-a-to-z
bind *:443 ssl crt /etc/haproxy/certs/ defer-accept
acl a ....
acl z ...
use_backend be_a if a
use_backend be_z if z
The syntax check says valid without warning.
Is this correct ?
If not, what would be the best way to add this new server that is an exception to an already existing long list of other servers that work fine with ssl termination in HA proxy.
I supect also I may be confusing the fqdn in the bind address with the acl domain filter:
acl host_a hdr(host) -i a.example.com
Thanks a ton !
(*) The inelegant idea I had:
is to use ssl_fc_sni like in the solution from that question:
frontend ft_test
mode http
bind 0.0.0.0:443 ssl crt /certs/haproxy1.pem crt /certs/haproxy2.pem
use_backend bk_cert1 if { ssl_fc_sni my.example.com } # content switching based on SNI
use_backend bk_cert2 if { ssl_fc_sni my.example.org } # content switching based on SNI
The reason I find it inelegant is because I fear that I may have to break my current front-end into one front-end for each a…z.example.com that would be huge work. I might be wrong though ?