Answer the question
In order to leave comments, you need to log in
F
F
foxikne2020-05-05 16:37:30
foxikne, 2020-05-05 16:37:30
How to make in haproxy that a certificate is substituted for each domain?
Hello. Tell me, please, I stumbled upon a problem, you need to make sure that when requests for a specific domain go through Haproxy, they take a certificate, the one specified in haproxy, for each domain. Here's how I do it:
frontend domain.com
bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/domain.com.pem
http-request redirect scheme https if !{ ssl_fc }
option http-server-close
option httplog
option forwardfor
reqadd X-Forwarded-Proto:\ https
reqadd X-Forwarded-Port:\ 443
# set HTTP Strict Transport Security (HTST) header
rspadd Strict-Transport-Security:\ max-age=15768000
acl host_domain.com hdr(host) -i domain.com
use_backend domain.com if host_domain.com
backend domain.com
balance leastconn
option http-keep-alive
option forwardfor
cookie SERVERID insert indirect nocache
timeout connect 30000
timeout server 30000
server server1 1.1.1.1:443 cookie 1 ssl verify none
server server2 2.2.2.2:443 cookie 2 ssl verify none
server server3 3.3.3.3:443 cookie 4 ssl verify noneso it works fine, but when I add a lot of sites, especially those with language subdomains:
de.domain.com, nl.domain.com, etc., it starts issuing incorrect certificates from other domains. Sometimes it comes out right, sometimes it doesn't. When there are few domains, then everything is fine, when there are many, it constantly substitutes different certificates. What am I doing wrong? How to fix it? To be honest, I don’t even know how to Google this problem correctly.
PS I have a self-signed certificate on the servers where the sites go, but I want it to be valid on the haproxy, which will be shown to users.
Thanks in advance for your help.
1 answer(s)
@foxikne
On port 443, all these sites terminate, and you specify one certificate.
Specifically, in your case, you need to specify the crt directive several times:
Or - easier - specify the directory where the correctly prepared certificates are located and load them all with the option crt /etc/haproxy/certs/
HAProxy will substitute certificates in alphabetical order. Accordingly, if you have an outdated certificate for en.domain.com and a new one for wildcard.domain.com in your folder, en... will be loaded until you delete it and restart HAProxy. Certificates from a folder are loaded when HAProxy starts, and when replacing certificates, you need to restart the software (especially important if you use loading from a folder)
.
Depending on the version of hapra, opensl and the presence / absence of openssl, or it can work differently.
E
Eugene, 2020-05-05 @foxikne
frontend domain.com
bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/domain.com.pem
On port 443, all these sites terminate, and you specify one certificate.
Specifically, in your case, you need to specify the crt directive several times:
bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/domain.com.pem crt /etc/haproxy/certs/en.domain.com.pem crt /etc/haproxy/certs/ru.domain.com.pem crt ...Or - easier - specify the directory where the correctly prepared certificates are located and load them all with the option crt /etc/haproxy/certs/
HAProxy will substitute certificates in alphabetical order. Accordingly, if you have an outdated certificate for en.domain.com and a new one for wildcard.domain.com in your folder, en... will be loaded until you delete it and restart HAProxy. Certificates from a folder are loaded when HAProxy starts, and when replacing certificates, you need to restart the software (especially important if you use loading from a folder)
.
Depending on the version of hapra, opensl and the presence / absence of openssl, or it can work differently.
Similar questions
A
K
A
E
D
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question