At one point I had SSL termination (with multiple certificates) working in haProxy (same version as in subject), however I noticed today that no matter which site I accessed I was being returned the default certificate.
During further troubleshooting, turning on 'strict-sni' indeed blocks all SSL traffic (except for traffic bound to the same domain as the default cert). I've made a few configuration changes today, thanks to the slew of various SSL/haProxy articles, however no matter what change I've attempted the results are the same. I apologize for the LONG initial post, however from reading through other forums, here are some the items that have previously been asked for. -------------------------------------------------- haproxy -vv HA-Proxy version 1.5-dev25-a339395 2014/05/10 Copyright 2000-2014 Willy Tarreau <[email protected]> Build options : TARGET = linux2628 CPU = native CC = gcc CFLAGS = -O2 -march=native -g -fno-strict-aliasing OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.30 2012-02-04 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. -------------------------------------------------- SSL FE from haproxy.cfg frontend httpsProxy mode http #################### #bind <ip>:443 ssl crt /mnt/sslCerts/default.crt crt /mnt/sslCerts/certs.d ciphers ECDHE-RSA-AES256-SHA:RC4- SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM #bind <ip>:443 ssl crt /mnt/sslCerts/default.crt crt /mnt/sslCerts/certs.d strict-sni ciphers ECDHE-RSA-AES256-SHA:RC4- SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM bind <ip>:443 ssl crt /mnt/sslCerts/default.crt crt /mnt/sslCerts/certs.d #################### option logasap option httplog option httpclose option http-server-close option forwardfor header X-Forwarded-For http-request set-header X-SSL %[ssl_fc] http-request set-header X-SSL-SNI %[ssl_fc_sni] reqadd X-Forwarded-Proto:\ https reqadd SNI_available:\ YES if { ssl_fc_has_sni } #################### default_backend prodHttpServers I'm not sure where else to check at this point. I've turned strict-sni off, and checked the X-SSL-SNI parameter that's being passed in the it's matching the CN value of one of the certs available in the certs.d folder. (There are currently 6 different certs in the certs.d folder, all are exhibiting the same behavior)
