SSL Termination with exception for a specific domain Wildcard SSL-Certificate request

lukastribus · October 13, 2020, 9:44am

You are binding twice to port 443, you cannot do that. Your OS will load-balance between the two frontend which is absolutely NOT what you want.

You need a single frontend on port 443, in TCP mode, which is looking at the SNI value for routing decision making. For domains that you want to terminate locally, you need to define a backend that reconnects to a SSL terminating frontend with your configuration.

So for example:

move the frontend load-balancer from port *:443 to 127.0.0.1:1443
create a backend in tcp mode to reconnect to 127.0.0.1:1443
use that backend as a default_backend in wildcard_tcp, as opposed to webservers

Also see this example (slightly different use-case):

Topic		Replies	Views
SSL termination on whole domain Help!	0	431	May 29, 2020
Don't use SSL for default backend(?) Help!	5	1341	October 1, 2022
Haproxy SSL pass through Help!	4	1082	September 9, 2021
Force SSL renegotiation on subdomain change using wildcard certificate Help!	4	1110	September 19, 2021
Certificate/SSL termination problem Help!	3	1795	June 3, 2016

SSL Termination with exception for a specific domain Wildcard SSL-Certificate request

Related topics