HAProxy community

One IP address, One SSL, for multiple Ports on same instance/server

Help Please,
We are trying to use one SSL for multiple Ports (443 and 6085) on same instance. Using HAProxy.
We have tried the following configurations:

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 20s
timeout queue 1m
timeout connect 15s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s # maxconn 3000

# This is our client/CDN facing SSL/TLS frontend listening on port 443, providing SSL termination in front of Varnish

frontend evd
bind 10.0.0.1:6085 ssl crt /etc/ssl/haproxy.pem no-sslv3 ciphers ECDHE+a***************************************** ***********************************************
default_backend varnish

frontend for_ssl_clients
log global

using no-sslv3 to ensure we only support TLS for security reasons http://disablessl3.com/haproxy

we are also setting the ciphers https://raymii.org/s/snippets/haproxy_set_specific_ssl_ciphers.html

bind 10.0.0.1:443 ssl crt /etc/ssl/haproxy.pem no-sslv3 ciphers ECDHE+a***************************************** ***********************************************
default_backend varnish*

#This configuration does not work. The server not run. when we Comment out the 6085 configuration the server for 443 delivers its content.
#What is the way out? please, such that we could make use of one SSL for two frontends, they they both use same backend.

Please explain what you mean by “One SSL” and explain what you are trying to achieve (but you have to spell it out).

I already have a SSL certificate, which currently encrypts incoming traffic on port 443 (https://www.domainname.com). We trying to deploy a new monitoring platform for the frontend cache. This platform uses port 6085, which functions properly. No problem. I mean when I open the site (http://www.domainname.com:6085/html) It loads the page normally. But it is not secure, for it cannot be used on https. When we try https it stops, hence it does not make use of SSL.
To resolve this issue, we want to make use of the existing SSL certificate which the HAproxy config points to. To achieve this as well as, not to make use of multiple SSL certificates, on same instance, we trying to use the existing SSL certificate for both webpages solutions (Main site which functions normally and the new cache monitoring solution, such that when we point to port 6085 on the Web, using “https” it serves the same content as it does on http.

Ok, then just replicate the bind line. Do not create a new frontend.

frontend for_ssl_clients
 log global
 bind 10.0.0.1:443 ssl crt /etc/ssl/haproxy.pem no-sslv3 ciphers
 bind 10.0.0.1:6085 ssl crt /etc/ssl/haproxy.pem no-sslv3 ciphers

Hello Lukas,
I did try making use of the suggestion

bind 10.0.0.1:443 ssl crt /etc/ssl/haproxy.pem no-sslv3 ciphers
bind 10.0.0.1:6085 ssl crt /etc/ssl/haproxy.pem no-sslv3 ciphers

default backend varnish.

It did not work.

The main Server (https://www.domainname.com), stopped working, and the monitoring platform (http://www.domainname.com:6085) still works but when we try it on (https://www.domainname.com:6085), it does not load.

Is there anything I am missing. what comes to my mind is is it possible to redirect traffic from port 6085 to 443 in the haproxy configuration? May be this would resolve the issue.

Thanks and regards,

Ose Mike.

Share the entire configuration before and after and please put it into code tags </>.

global
       log         127.0.0.1 local2 notice
       log         127.0.0.1 local3
       log-send-hostname
       # CA base folder on this system (Redhat)
       ca-base /etc/ssl/certs
       chroot      /var/lib/haproxy
       pidfile     /var/run/haproxy.pid
       maxconn     4000
       user        haproxy
       group       haproxy
       daemon

       # Raising the DH param size from default 1024 to a saver value
       tune.ssl.default-dh-param 2048

       # turn on stats unix socket
       stats socket /var/lib/haproxy/stats

       #---------------------------------------------------------------------
       # common defaults that all the 'listen' and 'backend' sections will
       # use if not designated in their block
       #---------------------------------------------------------------------
 defaults
       mode                    http
       log                     global
       option                  httplog
       option                  dontlognull
       option http-server-close 
       option forwardfor       except 127.0.0.0/8
       option                  redispatch
       retries                 3
       timeout http-request    20s
       timeout queue           1m
       timeout connect         15s
       timeout client          1m
       timeout server          1m
       timeout http-keep-alive 10s
       timeout check           10s

# This is our client/CDN facing SSL/TLS frontend listening on port 443, providing SSL termination in front of Varnish

frontend for_ssl_clients

     log global
     # using no-sslv3 to ensure we only support TLS for security reasons http://disablessl3.com/#haproxy
      

     bind *:443 ssl crt /etc/ssl/haproxy.pem no-sslv3 ciphers
     default_backend varnish

# The backend is Varnish on port 80
backend varnish
     log global
     server local_varnish 127.0.0.1:80

# This is the frontend that Varnish will talk to (as its backend)
frontend for_varnish *:8443
     log global
     default_backend drupal_via_ssl

# The websites backend is running the site via TLS/SSL
backend drupal_via_ssl
    log global
    server  on_prem_live www.domainname.ca:443 maxconn 100 ssl

I have tried adding the following to the configuration above

frontend for_evd
     local global
     bind *:6085 ssl crt /etc/ssl/haproxy.pem no-sslv3 ciphers 
     default_backend varnish2

# Using same backend as Varnish and will be reached over local IP address
backend varnish2
   log global
   server local_varnish 127.0.0.1:80

But it does not work. The main site would not even open, let alone encrypt the secondary site

I’d suggest specifying the bind IP address and port for each instance. For example, this is a working config on one of my servers (different IPs in my case, but different ports should be the same). I also specify all my SSL requirements in one place, to no-sslv3 goes below the cipher list - I just find it easier to read.

bind 10.10.10.221:80
bind 10.10.10.221:443 ssl crt /etc/haproxy/cert.pem crt /etc/haproxy/other.cert.pem
bind 10.10.10.222:8
bind 10.10.10.222:443 ssl crt /etc/haproxy/cert.pem crt /etc/haproxy/other.cert.pem

edit: (Discourse makes it so hard to paste code)

Thanks Josh, I have tried doing this earlier, but the main site does not work let alone the SSL encryption on the secondary server. This was the reason I raised the issue.

Well, I can confirm from experience that binding the same cert to two IP’s on two separate frontends uses the same memory as binding it two two IP’s in the same frontend, so if you can get that config working, it may be your best option.

The only other suggestion I have would be to move your SSL ciphers and other options to the defaults section with https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#ssl-default-bind-ciphersuites. I don’t see any reason is should make a difference, but it’s worth a shot…

Hello Josh,

The configuration is working I can run the Main application on port 443, and the secondary application using port 80 to run it on port 6085. I attach the configuration it to this issue, above. The current issue of our main interest lies in encrypting the secondary server with the same SSL certificate. Such that instead of using port 80 to run it on port 6085, we make use of SSL port 443 to run the application on port 6085.

Hi Josh, I solved the problem. All I needed was to create a new port say 9045 as entry in the frontend configuration.
Since the secondary application listens on port 6085, I used this as the backend to the entry of the port. this is where I binded the certificate.
The added configuration is similar to this should any one have this issue in the future.

frontend for_evd
      log global
      bind 10.0.0.1:9045 ssl crt /etc/ssl/haproxy.pem no-sslv3 ciphers
      default_backend varnish2
# The Backend varnish2
backend varnish2
      log global
      server local_varnish 127.0.0.1:6085

This configuration works pretty good!! Thanks!!!

Glad you got it worked out!