Hi Peter,
Le 20/03/2015 00:32, Peter Butler a écrit :
I logged this on stackoverflow
(http://stackoverflow.com/questions/29133477/haproxy-with-multiple-certificates-one-of-which-being-wild-card-and-the-other),
but HAProxy usage there is pretty low.
THis is my first mailing list email in years, please let me know if I
have broken any rules.
I have HAProxy working pretty well, I have port 80 and 443 open, TCP
over 443 over a internal proxy. HTTPS end to end. I am serving
certificates: *.mycompany.com.au www.secure.mycompany.com.au
SNI does not seem to be working, as when I go to
secure.mycompany.com.au, I keep getting the www.secure.mycompany.com.au
certificate (and weirdly *most* browsers do not throw a error). But when
I go to mail.mycompany.com.au I get the *.mycompany.com.au certificate
correctly.
Indeed, keep in mind that a wildcard certificate works only for
subdomains, not sub-subdomains.
So www.secure.mycompany.com.au won't match the "*.mycompany.com.au"
wildcard certificate. As no certificate matches the hostname, the first
one loaded is applied. I guess that in your SSL directory, the
certificate file for "secure.mycompany.com.au" is listed first.
You can read the RFC 2818, chapter "3.1. Server Identity" for more details :
http://tools.ietf.org/html/rfc2818#section-3.1
If I remove the www.secure.mycompany.com.au cert from the SSL directory,
and I browse to secure.mycompany.com.au I get the correct certificate,
but of course when I go to www.secure.mycompany.com.au, I get a error on
the browser, as it tries to give me *.mycompany.com.au certificate.
It tends to confirm this : the wildcard still doesn't match, and the
first certificate is applied (which in this case is by chance the
wildcard). I you insert a fake certificate before the wildcard, I'm sure
it will be this one that will match.
Can anyone see what I am doing wrong please.
|By the way, I also have a *.abc.def.mycompany.com.au and
*.def.mycompany.com.au in this same config (removed from below, but in same
syntax). and they are working perfect.|
||
|haproxy -version
HA-Proxy version 1.5.8 2014/10/31
Copyright 2000-2014 Willy Tarreau <[email protected]>
##################################################################################|
|##################################################################################|
|##################################################################################
global
daemon
user haproxy
group haproxy
log /dev/log local0 info
log /dev/log local0 notice
ulimit-n 20000
pidfile /var/run/haproxy.pid
tune.ssl.default-dh-param 2048
##################################################################################
## Port80 is open only to forward all requests to port 443.
frontend unsecure 123.123.123.155:80 #Prod
bind 192.168.14.155:80 #Prod
mode http
redirect scheme https code 301 if !{ ssl_fc }
##################################################################################
##Listen on 443, and forward to internal proxy on 88. Needed for SSL end to
end.
listen ssl-proxy
##Only accept mycompany host headers
http-request deny if !{ hdr_end(Host) -i mycompany.com.au } !{
hdr_end(Host) -i www.secure.mycompany.com.au }
# Get Certificates from SSL directory.
bind 123.123.123.155:443 ssl crt /etc/haproxy/ssl npn http/1.1 ciphers
ECDHE-RSA-AES256-SHA:RC4-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM no-sslv3
bind 192.168.14.155:443 ssl crt /etc/haproxy/ssl npn http/1.1 ciphers
ECDHE-RSA-AES256-SHA:RC4-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM no-sslv3
mode tcp
server http 127.0.0.1:88 send-proxy
##################################################################################
frontend internal_proxy
mode http
bind 127.0.0.1:88 accept-proxy name accept-sslproxy
bind-process 1
acl is_secure_mycompany_com_au hdr_end(host) -i www.secure.mycompany.com.au
acl is_secure_mycompany_com_au hdr_end(host) -i secure.mycompany.com.au
use_backend https_secure_mycompany_com_au if is_secure_mycompany_com_au
acl is_mail_mycompany_com_au hdr_end(host) -i mail.mycompany.com.au
use_backend https_mail_mycompany_com_au if is_mail_mycompany_com_au
default_backend nomatch
##################################################################################
backend https_secure_mycompany_com_au
mode http
option tcp-check
server web-01 192.168.14.50:443 check ssl verify none
backend https_mail_mycompany_com_au
mode http
option tcp-check
server web-02 192.168.14.51:443 check ssl verify none
backend nomatch
mode http
errorfile 503 /etc/haproxy/errors/503.http|
||
|##################################################################################|
|##################################################################################|
|##################################################################################|
||
|
By the way, on the backend I just redirect all
www.secure.mycompany.com.au to secure.mycompany.com.au (it was a old
marketing mistake). But I still need it there for now for history
|
--
Cyril Bonté
