I logged this on stackoverflow
(http://stackoverflow.com/questions/29133477/haproxy-with-multiple-certificates-one-of-which-being-wild-card-and-the-other),
but HAProxy usage there is pretty low.
THis is my first mailing list email in years, please let me know if I have
broken any rules.
I have HAProxy working pretty well, I have port 80 and 443 open, TCP over 443
over a internal proxy. HTTPS end to end. I am serving certificates:
*.mycompany.com.au www.secure.mycompany.com.au
SNI does not seem to be working, as when I go to secure.mycompany.com.au, I
keep getting the www.secure.mycompany.com.au certificate (and weirdly most
browsers do not throw a error). But when I go to mail.mycompany.com.au I get
the *.mycompany.com.au certificate correctly.
If I remove the www.secure.mycompany.com.au cert from the SSL directory, and I
browse to secure.mycompany.com.au I get the correct certificate, but of course
when I go to www.secure.mycompany.com.au, I get a error on the browser, as it
tries to give me *.mycompany.com.au certificate.
Can anyone see what I am doing wrong please.
By the way, I also have a *.abc.def.mycompany.com.au and
*.def.mycompany.com.au in this same config (removed from below, but in same
syntax). and they are working perfect. haproxy -version
HA-Proxy version 1.5.8 2014/10/31
Copyright 2000-2014 Willy Tarreau <[email protected]>
######################################################################################################################################################################################################################################################
global
daemon
user haproxy
group haproxy
log /dev/log local0 info
log /dev/log local0 notice
ulimit-n 20000
pidfile /var/run/haproxy.pid
tune.ssl.default-dh-param 2048
##################################################################################
## Port80 is open only to forward all requests to port 443.
frontend unsecure 123.123.123.155:80 #Prod
bind 192.168.14.155:80 #Prod
mode http
redirect scheme https code 301 if !{ ssl_fc }
##################################################################################
##Listen on 443, and forward to internal proxy on 88. Needed for SSL end to
end.
listen ssl-proxy
##Only accept mycompany host headers
http-request deny if !{ hdr_end(Host) -i mycompany.com.au } !{ hdr_end(Host)
-i www.secure.mycompany.com.au }
# Get Certificates from SSL directory.
bind 123.123.123.155:443 ssl crt /etc/haproxy/ssl npn http/1.1 ciphers
ECDHE-RSA-AES256-SHA:RC4-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM no-sslv3
bind 192.168.14.155:443 ssl crt /etc/haproxy/ssl npn http/1.1 ciphers
ECDHE-RSA-AES256-SHA:RC4-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM no-sslv3
mode tcp
server http 127.0.0.1:88 send-proxy
##################################################################################
frontend internal_proxy
mode http
bind 127.0.0.1:88 accept-proxy name accept-sslproxy
bind-process 1
acl is_secure_mycompany_com_au hdr_end(host) -i www.secure.mycompany.com.au
acl is_secure_mycompany_com_au hdr_end(host) -i secure.mycompany.com.au
use_backend https_secure_mycompany_com_au if is_secure_mycompany_com_au
acl is_mail_mycompany_com_au hdr_end(host) -i mail.mycompany.com.au
use_backend https_mail_mycompany_com_au if is_mail_mycompany_com_au
default_backend nomatch
##################################################################################
backend https_secure_mycompany_com_au
mode http
option tcp-check
server web-01 192.168.14.50:443 check ssl verify none
backend https_mail_mycompany_com_au
mode http
option tcp-check
server web-02 192.168.14.51:443 check ssl verify none
backend nomatch
mode http
errorfile 503 /etc/haproxy/errors/503.http
######################################################################################################################################################################################################################################################
By the way, on the backend I just redirect all www.secure.mycompany.com.au to
secure.mycompany.com.au (it was a old marketing mistake). But I still need it
there for now for history
