Multiple domain with different SSL Certificate

gertbus · April 11, 2019, 1:01pm

Currently we are using for our domain : mylab.macsys.be the following configuration

defaults
log global
option dontlognull # Do not log connections with no requests
option redispatch # Try another server in case of connection failure
option contstats # Enable continuous traffic statistics updates
timeout server 30s
timeout connect 60s
timeout client 30s

frontend http_frontend

bind *:80
mode tcp
default_backend web_server_http

backend web_server_http
mode tcp
balance roundrobin
#stick-table type ip size 200k expire 30m
#stick on src
#source 0.0.0.0 usesrc clientip #alctl: connect source and transparent connect
server s1 10.2.0.67:80 check fall 3 rise 2
server s2 10.2.0.68:80 check fall 3 rise 2
server s3 10.2.0.69:80 check fall 3 rise 2

frontend https_frontend

bind *:443
mode tcp
default_backend web_server

backend web_server
mode tcp
balance roundrobin
#stick-table type ip size 200k expire 30m
#stick on src
#source 0.0.0.0 usesrc clientip #alctl: connect source and transparent connect
server s1 10.2.0.67:4431 check fall 3 rise 2
server s2 10.2.0.68:4431 check fall 3 rise 2
server s3 10.2.0.69:4431 check fall 3 rise 2

The problem is we want a new domain (www.ipatient.be with specific certificate) active on the same servers. So i guess based on SNI? The mylab.macsys.be:443 domain is running smooth, and we don’t want to disturb our users with problems.

How can we get both www.macsys.be and www.ipatient.be domain working ? Any ideas regarding configuration ?

Listening ports on our IIS Servers :
macsys.be ==> port 4431 with macsys.be certificate
ipatient.be ==> port 4432 with ipatient.be certificate

Many thanks
De Busser Gert

lukastribus · April 11, 2019, 3:29pm

So you don’t terminate SSL on haproxy (install the SSL certificates on haproxy), but forward it to backend servers which are actually terminating SSL there.

Therefor you need to load-balance based on SNI, but without SSL termination.

Rename the backend web_server to something that is indicative of what the backend actually is, like macsys_https. The new backend would then be ipatient_https.

In that case, to route ipatient.be to ipatient_https, and use the macsys_https backend otherwise, you’d configure in your HTTPS frontend:

frontend https_frontend
 bind *:443
 mode tcp
 tcp-request inspect-delay 5s
 tcp-request content accept if { req_ssl_hello_type 1 }
 use_backend ipatient_https if { req_ssl_sni -i ipatient.be } || { req_ssl_sni -i www.ipatient.be }
 default_backend macsys_https

gertbus · April 12, 2019, 10:53am

Many thx ! and with the || (or) solution even better than what i found on the web.

Topic		Replies	Views
SNI and SSL offloading/termination with multiple domains Help!	2	901	May 4, 2020
Does HAProxy support multiple certificates for the same domain? Help!	2	1824	March 19, 2023
Need help with a HTTP and HTTPS Proxy Config for multiple backend servers Help!	1	592	January 19, 2021
Help me with ssl Help!	1	381	April 12, 2020
Need help with HAPROXY https when apps share the SSL cert Help!	2	206	August 25, 2023

Multiple domain with different SSL Certificate

Related Topics