Ping a Specific Port

Question

user22711

Asked: 2013-12-13 09:37:01 +0800 CST2013-12-13 09:37:01 +0800 CST 2013-12-13 09:37:01 +0800 CST

Configure multiple SSL certificates in Haproxy

772

My haproxy instance serves 2 domains (mostly to avoid XSS on the main site).

The rules look something like this

bind :443 ssl crt /etc/ssl/haproxy.pem

acl is_static   hdr_end(Host) -i example.com
acl is_api      hdr_end(Host) -i api.example.com
acl is_files    hdr_end(Host) -i example.io

redirect scheme https if !{ ssl_fc } is_static is_api

Now SSL uses /etc/ssl/haproxy.pem as the default cert, which is the certificate for example.com and not example.io.

How can I specify certs for multiple domain names?

3 Answers

Voted

Rico · Answer 1 · 2013-12-13T10:19:06+08:00

You can concatenate all your certificates into files say haproxy1.pem and haproxy2.pem or you can specify a directory containing all your pem files.

cat cert1.pem key1.pem > haproxy1.pem 
cat cert2.pem key2.pem > haproxy2.pem

As per the haproxy docs

Then on the config use something like this:

defaults
  log 127.0.0.1 local0
  option tcplog

frontend ft_test
  mode http
  bind 0.0.0.0:443 ssl crt /certs/haproxy1.pem crt /certs/haproxy2.pem 
  use_backend bk_cert1 if { ssl_fc_sni my.example.com } # content switching based on SNI
  use_backend bk_cert2 if { ssl_fc_sni my.example.org } # content switching based on SNI

backend bk_cert1
  mode http
  server srv1 <ip-address2>:80

backend bk_cert2
  mode http
  server srv2 <ip-address3>:80

Read more about SNI

Keep in mind that SSL support is in development staging for haproxy and also that it apparently has considerable performance hit.

There are other solutions talked about in this thread: https://stackoverflow.com/questions/10684484/haproxy-with-multiple-https-sites

Hope this helps.

Tim · Answer 2 · 2018-10-31T13:08:12+08:00

Tim

2018-10-31T13:08:12+08:002018-10-31T13:08:12+08:00

No need to concat or specify a list of certificates anymore, just specify a folder:

frontend public
    bind *:443 ssl crt /etc/haproxy/ssl/

Note: make sure the folder isn't empty and valid PEM files are present, otherwise HAProxy will not run.

24

zx1986 · Answer 3 · 2018-03-20T02:32:50+08:00

zx1986

2018-03-20T02:32:50+08:002018-03-20T02:32:50+08:00

maybe you could check this too:

/etc/ssl/private/crt-list.txt:

/etc/ssl/private/mydomain.pem
/etc/ssl/private/myotherdomain.pem

haproxy.cfg:

frontend https-in:
  bind *:443 ssl crt-list /etc/ssl/private/crt-list.txt

refs: https://github.com/msimerson/Mail-Toaster-6/wiki/How-to-for-Multiple-Domain-SSL-Certificates-with-HaProxy

10

Configure multiple SSL certificates in Haproxy

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?