SNI configuration

Wed, 24 Feb 2016 03:14:29 -0800 

Hi,

I have a task: I have to make a HTTPS protocol support using the SNI
extension for websites on my virtual hosting.

My simplest working configuration looks like this:

======================================
frontend http-in
    bind            111.111.111.111:80
    errorfile       408 /dev/null
    option          http-keep-alive
    option          http-server-close
    default_backend apache_aux4_workers

frontend https-in
    bind            111.111.111.111:443 ssl no-sslv3 crt 
/var/lib/haproxy/certs/example1.com.pem crt 
/var/lib/haproxy/certs/example2.com.pem

    errorfile       408 /dev/null

    acl allowed_sni_host hdr(host) -i example1.com
    acl allowed_sni_host hdr(host) -i example2.com

    use_backend     apache_aux4_workers if allowed_sni_host

backend apache_aux4_workers
    option          httpchk GET /uptime.html?ha
    server          worker1 111.111.111.111:8031 weight 150 check inter 800 
fall 2 rise 2 maxconn 8000
    server          worker2 111.111.111.111:8032 weight 100 check inter 2000 
fall 3 rise 2 maxconn 8000
======================================

But this configuration has a serious failure, which leads to the fact
that even those websites without installed certificate, also appear to
be available over HTTPS. Yes, the browser will make a notice that the
certificate is invalid as it doesn't match the HOST and Common Name, but
it is quite obvious that such a warning can easily be ignored.

As a result, I would like to get the following. To enable HTTPS access
only for sites with issued certificate, for other sites HTTPS access
should be unavailable. And preferably I would like to disable the
approval procedure (handshake SSL) for those "uncertificated" hosts,
i.e. the following request: 

$ openssl s_client -servername example3.com -connect 111.111.111.111:443
...
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Hosted by OnlineNic
Inc/OU=PositiveSSL/CN=example1.com
                   ^^^^^^^^^^^^^^^^
...

So it would immediately lead to the access denied error, in other words
the client wouldn't become aware that the server has a certificate
issued for a domain example1.com

Is it possible to execute what I've tried to explain for haproxy?

Thanks in advance.

Reply via email to