HAProxy community

SSL termination on whole domain

Hello!

So I’m trying to do SSL termination in HAproxy. I decided to do it all there because I’ve heard I can use on certificate for all our clients. Ive tried to set this up and the certs work for the ones I’m testing with but the websites return Error 400 - Bad request.

Another thing I’m wondering is can I issue a cert for the whole of kulturhotell.se so that I can use that one cert for all the websites? How does that work? After that I could use seperate certs for the few that has their own domains.

Here is the config:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

defaults
log global
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend http
bind *:80
bind *:443 ssl crt /etc/ssl/sofietst.kulturhotell.se/sofietst.kulturhotell.se.pem crt /etc/ssl/cluster.kulturhotell.se/cluster.kulturhotell.se.pem
redirect scheme https code 301 if !{ ssl_fc }
option tcplog
mode tcp
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
default_backend web.kh.vbm.se

backend web.kh.vbm.se
balance roundrobin
option ssl-hello-chk
mode tcp
server web-01 192.168.11.100:443 check
server web-02 192.168.11.101:443 check

backend letsencrypt-backend
server letsencrypt 127.0.0.1:8888