HAProxy community

Multiple domain with different SSL Certificate

#1

Currently we are using for our domain : mylab.macsys.be the following configuration :slight_smile:

defaults
log global
option dontlognull # Do not log connections with no requests
option redispatch # Try another server in case of connection failure
option contstats # Enable continuous traffic statistics updates
timeout server 30s
timeout connect 60s
timeout client 30s

frontend http_frontend

bind *:80
mode tcp
default_backend web_server_http

backend web_server_http
mode tcp
balance roundrobin
#stick-table type ip size 200k expire 30m
#stick on src
#source 0.0.0.0 usesrc clientip #alctl: connect source and transparent connect
server s1 10.2.0.67:80 check fall 3 rise 2
server s2 10.2.0.68:80 check fall 3 rise 2
server s3 10.2.0.69:80 check fall 3 rise 2

frontend https_frontend

bind *:443
mode tcp
default_backend web_server

backend web_server
mode tcp
balance roundrobin
#stick-table type ip size 200k expire 30m
#stick on src
#source 0.0.0.0 usesrc clientip #alctl: connect source and transparent connect
server s1 10.2.0.67:4431 check fall 3 rise 2
server s2 10.2.0.68:4431 check fall 3 rise 2
server s3 10.2.0.69:4431 check fall 3 rise 2

The problem is we want a new domain (www.ipatient.be with specific certificate) active on the same servers. So i guess based on SNI? The mylab.macsys.be:443 domain is running smooth, and we don’t want to disturb our users with problems.

How can we get both www.macsys.be and www.ipatient.be domain working ? Any ideas regarding configuration ?

Listening ports on our IIS Servers :
macsys.be ==> port 4431 with macsys.be certificate
ipatient.be ==> port 4432 with ipatient.be certificate

Many thanks
De Busser Gert

0 Likes

#2

So you don’t terminate SSL on haproxy (install the SSL certificates on haproxy), but forward it to backend servers which are actually terminating SSL there.

Therefor you need to load-balance based on SNI, but without SSL termination.

Rename the backend web_server to something that is indicative of what the backend actually is, like macsys_https. The new backend would then be ipatient_https.

In that case, to route ipatient.be to ipatient_https, and use the macsys_https backend otherwise, you’d configure in your HTTPS frontend:

frontend https_frontend
 bind *:443
 mode tcp
 tcp-request inspect-delay 5s
 tcp-request content accept if { req_ssl_hello_type 1 }
 use_backend ipatient_https if { req_ssl_sni -i ipatient.be } || { req_ssl_sni -i www.ipatient.be }
 default_backend macsys_https
1 Like

#3

Many thx ! and with the || (or) solution even better than what i found on the web.

0 Likes