Single IP to separate internal servers SSL


#1

Ok so i have Haproxy on pfsense.

I have 2 servers that have their own certs (domain names) and when i open the firewall for those server individual they are all ok

However as you know port 443 and 80 cannot share and as a result Ha-proxy was suggested to me

I have read that you can share a single IP address and have ha-proxy refer to the proper server using the front end back end scheme but documentation is lacking on the subject matter or at least I have not found any tutorials on how to achieve this.

Any help would be excellent


#2

From your description it’s unclear whether you want haproxy to switch between 2 different internal SSL servers (that would be based on the SNI name) or whether you need haproxy to switch between HTTP and HTTPS on a single port (“port 443 and 80 cannot share and as a result Ha-proxy was suggested to me”).

Can you clarify?


#3

I want haproxy to switch between 2 different internal SSL servers (that would be based on the SNI name).

I didnt know how to explain it but glad you clarified what i was attempting to convey.

Yes i have 2 internal servers that are already have valid certs installed (ssl).


#4

Ok, take a look at this article:


#5

I would love to say I know what they’re talking about but I don’t. I was more looking for tutorials or perhaps real life configuration examples that I could build upon. In this article they do a great job of explaining whatever it is they are explaining I’m sure, but it is all over my head


#6

The following is an excerpt of the configuration example in that post, this should be what you need:

# Adjust the timeout to your needs
defaults
 timeout client 30s
 timeout server 30s
 timeout connect 5s

# Single VIP with sni content switching
frontend ft_ssl_vip
 bind 10.0.0.10:443
 mode tcp
 tcp-request inspect-delay 5s
 tcp-request content accept if { req_ssl_hello_type 1 }
 acl application_1 req_ssl_sni -i application1.domain.com
 acl application_2 req_ssl_sni -i application2.domain.com
 use_backend bk_ssl_application_1 if application_1
 use_backend bk_ssl_application_2 if application_2
 default_backend bk_ssl_default

# Application 1 farm description
backend bk_ssl_application_1
 mode tcp
 balance roundrobin
 option ssl-hello-chk
 server server1 192.168.1.1:443 check
 server server2 192.168.1.2:443 check

# Application 2 farm description
backend bk_ssl_application_2
 mode tcp
 balance roundrobin
 option ssl-hello-chk
 server server1 192.168.2.1:443 check
 server server2 192.168.2.2:443 check

# Sorry backend which should invite the user to update its client
backend bk_ssl_default
 mode tcp
 balance roundrobin

#7

Sry for the late replys, Ill try this example if i can. one thing though, how do i do this in a gui version of haproxy or take this to make it cmd line


#8

There is no GUI version in the OSS project haproxy.


#9

@dureal99d
lukastribus is right, HAProxy don’t provide a GUI for the configuration
but the interface you talking about is provided by pfSense

in this interface you might have an advance mode were you will be able to cut and paste the configuration lukastribus provided to you.

I think this https://forum.netgate.com/topic/112223/https-redirect-to-different-internal-ip-s/5
give an better explanation of what you try to accomplish.

let’s me know if you need more help!


#10

Thank you I will try this and report back soon!!!