Hi,
Here comes a probably strange question that is probably also wrongly asked.
I have the following network structure/plan…:
The idea is that someone who is responsible/authorized for network 1 and domain1.com has their own Rev. Proxy that they manage and take care of SSL certificates. The same applies to network 2.
I got haproxy to work with the following configuration:
# Automaticaly generated, dont edit manually.
# Generated on: 2024-10-08 16:54
global
maxconn 1000
stats socket /tmp/haproxy.socket level admin expose-fd listeners
uid 80
gid 80
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state
frontend Front
bind xxx.xxx.xxx.xxx:80 name xxx.xxx.xxx.xxx:80
bind xxx.xxx.xxx.xxx:443 name xxx.xxx.xxx.xxx:443
mode tcp
log global
timeout client 30000
tcp-request inspect-delay 5s
tcp-request content capture req.hdr(Host) len 100
tcp-request content accept if { req_ssl_hello_type 1 }
acl domain1 req_ssl_sni -m end domain1.de
acl domain2 req_ssl_sni -m end domain2.de
acl domain1 hdr(host) -m end domain1.de
acl domain2 hdr(host) -m end domain2.de
use_backend domain1_ipvANY if domain1
use_backend domain2_ipvANY if domain2
backend domain1_ipvANY
mode tcp
id 101
log global
timeout connect 30000
timeout server 30000
retries 3
load-server-state-from-file global
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
server ProxyMan 172.28.200.255:8443 id 102 check inter 1000
backend domain2_ipvANY
mode tcp
id 100
log global
timeout connect 30000
timeout server 30000
retries 3
load-server-state-from-file global
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
server ProxyMan 192.168.7.1:8443 id 102 check inter 1000
The Problem i have is that i can not request new certificate via let’s encrypt. When i NAT the Ports directly to the backends then it’s possible to request a certificate. So something is wrong with my config of haproxy. I thought with these two lines i would handle the http traffic:
tcp-request content capture req.hdr(Host) len 100
acl domain1 hdr(host) -m end domain1.de
And that this all what is needed for the certification challenge: letsencrypt How it works
I am grateful for any help/tip or link.
Thank you in advance
Update:
For those who have something similar in mind, the now working haproxy config:
# Automaticaly generated, dont edit manually.
# Generated on: 2024-10-08 21:51
global
maxconn 1000
stats socket /tmp/haproxy.socket level admin expose-fd listeners
uid 80
gid 80
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
log-send-hostname HaproxyMasterNode
server-state-file /tmp/haproxy_server_state
frontend Front-https
bind xxx.xxx.xxx.xxx:443 name xxx.xxx.xxx.xxx:443
mode tcp
log global
timeout client 30000
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl domain1 req_ssl_sni -m end domain1.de
acl domain2 req_ssl_sni -m end domain2.de
use_backend domain1-https_ipvANY if domain1
use_backend domain2-https_ipvANY if domain2
frontend Front-http
bind xxx.xxx.xxx.xxx:80 name xxx.xxx.xxx.xxx:80
mode http
log global
option http-keep-alive
timeout client 30000
acl domain1 hdr(host) -m end domain1.de
acl domain2 hdr(host) -m end domain2.de
use_backend domain1-http_ipvANY if domain1
use_backend domain2-http_ipvANY if domain2
backend domain1-https_ipvANY
mode tcp
id 101
log global
timeout connect 30000
timeout server 30000
retries 3
load-server-state-from-file global
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
server ProxyMan 172.28.200.255:8443 id 102 check inter 1000
backend domain2-https_ipvANY
mode tcp
id 100
log global
timeout connect 30000
timeout server 30000
retries 3
load-server-state-from-file global
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
server ProxyMan 192.168.7.1:8443 id 102 check inter 1000
backend domain1-http_ipvANY
mode http
id 103
log global
timeout connect 30000
timeout server 30000
retries 3
load-server-state-from-file global
server ProxyMan 172.28.200.255:8080 id 104 check inter 1000
backend domain2-http_ipvANY
mode http
id 105
log global
timeout connect 30000
timeout server 30000
retries 3
load-server-state-from-file global
server ProxyMan 192.168.7.1:8080 id 106 check inter 1000