[Solved] Unexpected behaviour in SSL termination



I’m using SSL termination in Haproxy. HAproxy is handling connections from multiple hosts on port 443. We have different c ertificates for different hosts. So I choose to use crt-list in ssl directive to provide mapping file of host and it’s certificates.

Here is haproxy.cfg and crt-list.txt

frontend https-in
bind ssl crt-list /etc/haproxy/crt-list.txt

and crt-list.txt

host1 /path/to/foo.pem
host2 /path/to/bar.pem

When I come from host1 or host2 then it takes correct configuration. but when i come from other domain for example host3, It takes certificates of host1. I don’t know It should be happen or not.

I think i can redirect to http if it host is not exist in crt-list.txt file but I don’t know how to accomplish that. or if anyone has suggestion on what is the correct way to handle the request then it would be welcomed.

Thanks & Regards,
Chintan Patel


Expected behavior as documented:

Use strict-sni to reject those TLS sessions:


Thanks @lukastribus for your help. It worked. :slight_smile: