What is the difference between FQDN and IP Address in haproxy.cfg

Hi everyone,

What is the difference between the the below two server lines. Is there any security concern by specifying IP address instead of FQDN on server line?

server line with FQDN

server server1 bt-service.abc.com:443 check ssl ca-file @system-ca verify required verifyhost *.abc.com

server line with IP Address

server server1 xx.xx.xx.xx:443 check ssl ca-file @system-ca verify required verifyhost *.abc.com

A certificate was already attached to my backend server and when i execute the below command in my backend server/ instance it gave output as *.abc.com


openssl x509 -noout -subject -in certificate certificate.pub

Is SSL verification process is same in both scenarios?

Thank you in advance !

There is no real difference, however what is important to remember that the DNS lookup will only happen once during haproxy start/restart/reload.

Haproxy will not periodically resolve the record again, so if it changes, you need to reload haproxy.

Configuring DNS resolvers in haproxy will solve this problem, please see Server DNS resolution

@lukastribus , thanks for the explanation.

Are there any security concerns if we use IP Address instead of FQDN?

No, there are not, because you are doing SSL verification nonetheless.