HAproxy – SSL domains in crt-list
I think for those using high throughput to load balancers will know HAproxy immediately. If HAproxy is something new to you – I highly recommend to scatter around and get your self familiar with this great product. I use it personally and as well recommend it ( if the requirements match ) to my customers. I thought I will create separate category especially for this awesome piece of art and will share with you some of my challenges and discoveries I came across with.
So today I will start with the fact that HAproxy supports SNI and that you can have multiple certificates assigned. If you look at internet ( or even at the documentation ) you will see its common to use syntax like :
|
1 2 3 4 5 6 |
frontend https-in bind *:443 ssl crt /etc/ssl/server1.pem crt /etc/ssl/server2.pem http-request set-header X-Forwarded-Proto https default_backend application-backend |
What you can see here is that we are specifying certificates ( detailed way of HApoxy handles this can be found under link ) . However I have been recently using crt-list which allows me to specify certificates for domains ( and also do filtering within that file ) .
File looks as easy as (basic no filtering ) :
|
1 2 |
/etc/ssl/web/domain1.net.pem domain1.net /etc/ssl/web/domain2.net.pem domain2.net |
From there in my config I use the following :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# _____ _ _ # | ___|_ __ ___ _ __ | |_ ___ _ __ __| | ___ # | |_ | '__|/ _ \ | '_ \ | __|/ _ \| '_ \ / _` |/ __| # | _| | | | (_) || | | || |_| __/| | | || (_| |\__ \ # |_| |_| \___/ |_| |_| \__|\___||_| |_| \__,_||___/ frontend http-in bind 0.0.0.0:80 redirect scheme https code 301 if !{ ssl_fc } frontend https-in bind 0.0.0.0:443 ssl crt-list /etc/haproxy/crt-list.txt http-request set-header X-Forwarded-Proto https if { ssl_fc } |
And thats how easy it is. In coming posts I will try to publish more interesting information abut HAproxy.
