0

HAproxy – SSL domains in crt-list

I think for those using high throughput to load balancers will know HAproxy immediately. If HAproxy is something new to you – I highly recommend to scatter around and get your self familiar with this great product. I use it personally and as well recommend it ( if the requirements match ) to my customers. I thought I will create separate category especially for this awesome piece of art and will share with you some of my challenges and discoveries I came across with.

So today I will start with the fact that HAproxy supports SNI and that you can have multiple certificates assigned. If you look at internet ( or even at the documentation ) you will see its common to use syntax like :

frontend https-in
    bind *:443 ssl crt /etc/ssl/server1.pem crt /etc/ssl/server2.pem
    
    http-request set-header X-Forwarded-Proto https 
    
    default_backend application-backend

 

What you can see here is that we are specifying certificates ( detailed way of HApoxy handles this can be found under link ) .  However I have been recently using crt-list which allows me to specify certificates for domains ( and also do filtering within that file ) .

File looks as easy as (basic no filtering ) :

/etc/ssl/web/domain1.net.pem domain1.net
/etc/ssl/web/domain2.net.pem domain2.net

 

From there in my config I use the following :

#  _____                    _                    _
# |  ___|_ __  ___   _ __  | |_  ___  _ __    __| | ___
# | |_  | '__|/ _ \ | '_ \ | __|/ _ \| '_ \  / _` |/ __|
# |  _| | |  | (_) || | | || |_|  __/| | | || (_| |\__ \
# |_|   |_|   \___/ |_| |_| \__|\___||_| |_| \__,_||___/


frontend http-in
    bind 0.0.0.0:80
    redirect scheme https code 301 if !{ ssl_fc }


frontend https-in
    bind 0.0.0.0:443 ssl crt-list /etc/haproxy/crt-list.txt

    http-request set-header X-Forwarded-Proto https if { ssl_fc }

 

And thats how easy it is. In coming posts I will try to publish more interesting information abut HAproxy.

rafpe

Leave a Reply

Your email address will not be published. Required fields are marked *