Almost all in the title.
How to configure my little zoo of, say, containers to work correctly behind one proxy? I have a separate certificate for every subdomain of every domain; I do not plan to use plain HTTP, only HTTPS; I do not plan to terminate SSL on the proxy, so I need SNI.
Where I can find some working example of the config file for my case or at least base to start and to ask question(s) about it? I tried some variants from the various examples I found, but all they did not work as expected.
Always take care that your certificates don’t overlap with each other, otherwise the browser will reuse existing TLS sessions for what is allowed by the certificate.
I see in haproxy.log these repetitive lines (10 per one connection attempt, port number increases): Oct 30 19:39:59 scorry haproxy[18943]: XX.XX.XX.XX:34152 [30/Oct/2018:19:39:59.229] https-in~ https-in/<NOSRV> -1/-1/729 0 SC 1/1/0/0/0 0/0
For the sake of clarity, I deleted all the pem files instead of one, but it didn’t change anything.
And sites are accessible from LAN over HTTPS, so certs/webserver part seems working good.
Well it looks like haproxy is unable to access while curl can reach those backend servers just fine.
I suggest you run haproxy through strace -tt for a short period of time while you reproduce it. That output will show what exactly the systemcall’s return. I assume that there is at the system level intervening, like selinux or something like that.
Ok, I found an issue in your configuration that I did not see at first:
You configured the https frontend with TLS termination (ssl crt /var/lib/haproxy/private/ after the bind :443), which means haproxy decrypts TLS here. But you are then passing everything as is to port 443 on your backends, without re-encryption (so you are sending plaintext HTTP to a HTTPS port).
You can either:
keep terminating TLS on haproxy, but send cleartext traffic to port 80 of your backend servers (just reuse the plaintext backends you already have for http)
keep terminating TLS on haproxy, but re-encrypt TLS vs your backends (add ssl and ca-file options to your servers)
just passthrough TCP port 443 without terminating it (just drop ssl crt /var/lib/haproxy/private/ from your bind line)
really glad you guys have found help. wondering if it would work for me as now i can’t do anything since i’m on some meds from suppsforlife.to. anyway, may i come back with questions in case there’s something that goes wrong? or i might update the good news if it happens. thanks.