F
F
foxikne2020-05-05 16:37:30
HAproxy
foxikne, 2020-05-05 16:37:30

How to make in haproxy that a certificate is substituted for each domain?

Hello. Tell me, please, I stumbled upon a problem, you need to make sure that when requests for a specific domain go through Haproxy, they take a certificate, the one specified in haproxy, for each domain. Here's how I do it:

frontend domain.com
  bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/domain.com.pem
  http-request redirect scheme https if !{ ssl_fc }
  option http-server-close
  option httplog
  option forwardfor
  reqadd X-Forwarded-Proto:\ https
  reqadd X-Forwarded-Port:\ 443
 
  # set HTTP Strict Transport Security (HTST) header
  rspadd  Strict-Transport-Security:\ max-age=15768000
 
   acl host_domain.com hdr(host) -i domain.com
   use_backend domain.com if host_domain.com
  
backend domain.com
  balance leastconn
  option http-keep-alive
  option forwardfor
  cookie SERVERID insert indirect nocache
  timeout connect  30000
  timeout server 30000
  
  server server1 1.1.1.1:443 cookie 1 ssl verify none
  server server2 2.2.2.2:443 cookie 2 ssl verify none
  server server3 3.3.3.3:443 cookie 4 ssl verify none


so it works fine, but when I add a lot of sites, especially those with language subdomains:
de.domain.com, nl.domain.com, etc., it starts issuing incorrect certificates from other domains. Sometimes it comes out right, sometimes it doesn't. When there are few domains, then everything is fine, when there are many, it constantly substitutes different certificates. What am I doing wrong? How to fix it? To be honest, I don’t even know how to Google this problem correctly.

PS I have a self-signed certificate on the servers where the sites go, but I want it to be valid on the haproxy, which will be shown to users.

Thanks in advance for your help.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
E
Eugene, 2020-05-05
@foxikne

frontend domain.com
bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/domain.com.pem

On port 443, all these sites terminate, and you specify one certificate.
Specifically, in your case, you need to specify the crt directive several times:
bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/domain.com.pem crt  /etc/haproxy/certs/en.domain.com.pem crt  /etc/haproxy/certs/ru.domain.com.pem crt ...

Or - easier - specify the directory where the correctly prepared certificates are located and load them all with the option crt /etc/haproxy/certs/
HAProxy will substitute certificates in alphabetical order. Accordingly, if you have an outdated certificate for en.domain.com and a new one for wildcard.domain.com in your folder, en... will be loaded until you delete it and restart HAProxy. Certificates from a folder are loaded when HAProxy starts, and when replacing certificates, you need to restart the software (especially important if you use loading from a folder)
.
Depending on the version of hapra, opensl and the presence / absence of openssl, or it can work differently.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question