I am new to HAProxy. Currently, I have two different web servers, each with their own subdomain, behind my HAProxy setup. In order for each of these web servers to initially get their own SSL certificate, I had to port forward 443 and 80 from the router to each server individually and use certbot. Then I activated HAProxy & forwarded 80 & 443 from router to HAProxy.
Currently:
- I can successfully access either web server on port 80, which then redirects to 443
- I can successfully access either web server on port 443 and I see that they both register as having valid Let’s Encrypt cert
- Certbot fails to renew SSL certs on either server
Here is my haproxy.conf:
global
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
defaults
mode tcp
log global
option tcplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend main
bind :443
mode tcp
tcp-request inspect-delay 10s
# block annoying worms that fill the logs…
acl forbidden_uris url_reg -i .(.|%2e)(.|%2e)(%2f|%5c|/|\\)
acl forbidden_uris url_sub -i %00 <script xmlrpc.php
acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida /awstats.pl .asp .dll
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend nextcloud if { req_ssl_sni -m end nextcloud.domain.com }
use_backend chat if { req_ssl_sni -m end chat.domain.com }
default_backend nextcloud
frontend port80-redirect
bind *:80
mode http
redirect scheme https
backend chat
mode tcp
server chat 192.168.3.38:443 check
backend nextcloud
mode tcp
server nextcloud 192.168.3.36:443 check
Does anyone have any ideas on what I change to get these servers’ certbot to successfully renew the SSL certs?