Why browser is always showing certificate of only one server even if multiple are configured?

Help!
1

Hi,

I am a beginner in HAProxy. I have four VMs, with HAProxy in one and Apache httpd in other three. What I am trying to achieve is, when user connect to HAProxy IP using https, the connection should be redirected to any of the other three servers. Please find my configuration below;

global
    maxconn 50000
    log /dev/log local0
    log /dev/log local1 notice
    user root
    group root
    stats timeout 30s
    nbproc 2
    cpu-map auto:1/1-4 0-3
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
    daemon

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend ft_http
    bind :80
    mode http
    default_backend bk_http

frontend ft_https
    bind :443 ssl crt-list /etc/haproxy/crt-list.txt
    mode tcp
    default_backend bk_https

backend bk_http
    mode http
    balance roundrobin
    default-server inter 1s
    server testserver1 192.168.0.1:80 check
    server testserver2 192.168.0.2:80 check
    server testserver3 192.168.0.3:80 check

backend bk_https
    mode tcp
    balance roundrobin
    stick-table type ip size 200k expire 1m
    default-server inter 1s
    server testserver1 192.168.0.1:443 check
    server testserver2 192.168.0.2:443 check
    server testserver3 192.168.0.3:443 check

and below is how crt-list.txt looks like;

/etc/haproxy/testserver1.pem testserver1
/etc/haproxy/testserver2.pem testserver2
/etc/haproxy/testserver3.pem testserver3

I have generated certificates by referring these urls How to enable https on Apache CentOS - TechRepublic and https://www.suse.com/support/kb/doc/?id=000018152

Now, whenever I hit https://haproxy_ip in my browser, the browser prompt unsigned certificate and it always belongs to testserver1. Certificate of other two servers are not getting picked up.

And, When I accept the certificate and proceed, I am getting a page with content like below;

# Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Apache/2.2.34 (Amazon) Server at testserver1.localdomain Port 443

and whenever I reload the page, the last line of message changes like Apache/2.2.34 (Amazon) Server at testserver2.localdomain Port 443 and Apache/2.2.34 (Amazon) Server at testserver2.localdomain Port 443 (but when I take the certificate, it is the one I created for testserver1)

Now, my question is, why am I always getting the certificate of testserver1? Somebody please help me with this.

Thanks in advance.

2

Of course. You configured 3 certificates, SNI never matches a certificate, so the default certificate is delivered (which is the first certificate in the list).

Why do you need 3 certificates in haproxy?

3

Hi @lukastribus thanks for your reply.

The scenario in which why I am trying to achieve this is explained in this question that I have posted;