What is the difference between FQDN and IP Address in haproxy.cfg

Phaneendra · March 4, 2024, 6:04am

Hi everyone,

What is the difference between the the below two server lines. Is there any security concern by specifying IP address instead of FQDN on server line?

server line with FQDN

server server1 bt-service.abc.com:443 check ssl ca-file @system-ca verify required verifyhost *.abc.com

server line with IP Address

server server1 xx.xx.xx.xx:443 check ssl ca-file @system-ca verify required verifyhost *.abc.com

A certificate was already attached to my backend server and when i execute the below command in my backend server/ instance it gave output as *.abc.com

command:

openssl x509 -noout -subject -in certificate certificate.pub

Is SSL verification process is same in both scenarios?

Thank you in advance !

lukastribus · March 4, 2024, 7:12am

There is no real difference, however what is important to remember that the DNS lookup will only happen once during haproxy start/restart/reload.

Haproxy will not periodically resolve the record again, so if it changes, you need to reload haproxy.

Configuring DNS resolvers in haproxy will solve this problem, please see Server DNS resolution

Phaneendra · March 4, 2024, 8:14am

@lukastribus , thanks for the explanation.

Are there any security concerns if we use IP Address instead of FQDN?

lukastribus · March 4, 2024, 9:19am

No, there are not, because you are doing SSL verification nonetheless.

Topic		Replies	Views
Get client ip address in https mode Help!	1	648	March 15, 2017
SSL handshake failure (Not secure) Help!	0	304	June 11, 2021
DNS Issues When Server Goes Down Help!	2	851	April 7, 2016
Reject if request on ip address Help!	0	168	December 28, 2023
Statistics Report Page Help!	0	324	April 4, 2019

What is the difference between FQDN and IP Address in haproxy.cfg

Related Topics