Single IP to separate internal servers SSL


#1

Ok so i have Haproxy on pfsense.

I have 2 servers that have their own certs (domain names) and when i open the firewall for those server individual they are all ok

However as you know port 443 and 80 cannot share and as a result Ha-proxy was suggested to me

I have read that you can share a single IP address and have ha-proxy refer to the proper server using the front end back end scheme but documentation is lacking on the subject matter or at least I have not found any tutorials on how to achieve this.

Any help would be excellent


#2

From your description it’s unclear whether you want haproxy to switch between 2 different internal SSL servers (that would be based on the SNI name) or whether you need haproxy to switch between HTTP and HTTPS on a single port (“port 443 and 80 cannot share and as a result Ha-proxy was suggested to me”).

Can you clarify?


#3

I want haproxy to switch between 2 different internal SSL servers (that would be based on the SNI name).

I didnt know how to explain it but glad you clarified what i was attempting to convey.

Yes i have 2 internal servers that are already have valid certs installed (ssl).


#4

Ok, take a look at this article:


#5

I would love to say I know what they’re talking about but I don’t. I was more looking for tutorials or perhaps real life configuration examples that I could build upon. In this article they do a great job of explaining whatever it is they are explaining I’m sure, but it is all over my head


#6

The following is an excerpt of the configuration example in that post, this should be what you need:

# Adjust the timeout to your needs
defaults
 timeout client 30s
 timeout server 30s
 timeout connect 5s

# Single VIP with sni content switching
frontend ft_ssl_vip
 bind 10.0.0.10:443
 mode tcp
 tcp-request inspect-delay 5s
 tcp-request content accept if { req_ssl_hello_type 1 }
 acl application_1 req_ssl_sni -i application1.domain.com
 acl application_2 req_ssl_sni -i application2.domain.com
 use_backend bk_ssl_application_1 if application_1
 use_backend bk_ssl_application_2 if application_2
 default_backend bk_ssl_default

# Application 1 farm description
backend bk_ssl_application_1
 mode tcp
 balance roundrobin
 option ssl-hello-chk
 server server1 192.168.1.1:443 check
 server server2 192.168.1.2:443 check

# Application 2 farm description
backend bk_ssl_application_2
 mode tcp
 balance roundrobin
 option ssl-hello-chk
 server server1 192.168.2.1:443 check
 server server2 192.168.2.2:443 check

# Sorry backend which should invite the user to update its client
backend bk_ssl_default
 mode tcp
 balance roundrobin

#7

Sry for the late replys, Ill try this example if i can. one thing though, how do i do this in a gui version of haproxy or take this to make it cmd line


#8

There is no GUI version in the OSS project haproxy.