I think for those using high throughput to load balancers will know HAproxy immediately. If HAproxy is something new to you – I highly recommend to scatter around and get your self familiar with this great product. I use it personally and as well recommend it ( if the requirements match ) to my customers. I thought I will create separate category especially for this awesome piece of art and will share with you some of my challenges and discoveries I came across with.
So today I will start with the fact that HAproxy supports SNI and that you can have multiple certificates assigned. If you look at internet ( or even at the documentation ) you will see its common to use syntax like :
frontend https-in
bind *:443 ssl crt /etc/ssl/server1.pem crt /etc/ssl/server2.pem
http-request set-header X-Forwarded-Proto https
default_backend application-backend
What you can see here is that we are specifying certificates ( detailed way of HApoxy handles this can be found under link ) . However I have been recently using crt-list which allows me to specify certificates for domains ( and also do filtering within that file ) .
File looks as easy as (basic no filtering ) :
/etc/ssl/web/domain1.net.pem domain1.net /etc/ssl/web/domain2.net.pem domain2.net
From there in my config I use the following :
# _____ _ _
# | ___|_ __ ___ _ __ | |_ ___ _ __ __| | ___
# | |_ | '__|/ _ \ | '_ \ | __|/ _ \| '_ \ / _` |/ __|
# | _| | | | (_) || | | || |_| __/| | | || (_| |\__ \
# |_| |_| \___/ |_| |_| \__|\___||_| |_| \__,_||___/
frontend http-in
bind 0.0.0.0:80
redirect scheme https code 301 if !{ ssl_fc }
frontend https-in
bind 0.0.0.0:443 ssl crt-list /etc/haproxy/crt-list.txt
http-request set-header X-Forwarded-Proto https if { ssl_fc }
And thats how easy it is. In coming posts I will try to publish more interesting information abut HAproxy.
