Multiple ssl certificates per ip using proxy protocol


#1

I try to set up a multi layer haproxy setup. The first layer being a haproxy instance doing simple tcp level load balancing using proxy protocol to second layer als running haproxy. The first layer has multiple public ips attached to which need to be handled differently on the second layer, especially in regards to certificates.
Unfortunately it seems to me that haproxy on the second layer can only be configured to bind to ip addresses of the servers network interfaces but not to the receiving ip of the first layer. SNI is not an option here.


#2

The simplest approach imho would be to use different backend ports, so you map a public frontend IP to a specific “second proxy layer” backend port, that way you can configure everything very easily.

I’m not sure what you mean here, but yes, haproxy could be configured to listen to those addresses in a transparent configuration, however that also means the first proxy layer has to be the gateway and it complicates the setup quite a bit.