Hi all,
I propose to discuss an option to declare ssl options per certificat/SNI
(instead of global one on bind directive).
use cases will be to set alpn/verify/<other valid ssl option> per SNI.
The first idea would be to use a crt-list like directive to express this.
I call it crt-bind for the moment.
in crt-list args is an optional SNI filter.
in crt-bind args is ssl options and SNI filter is after a ‘if’ directive to
mimic haproxy configuration.
haproxy.cfg:
bind :443 ssl strict-sni crt-bind /etc/haproxy/crtbind.cfg
crtbind.cfg:
mycert.pem alpn h2,http/1.1 if h2.mydom.net
mycert.pem verify ca-file ca-admin.pem if admin.mydom.
<http://admin.mydom.com/>net
mycert.pem # legacy ssl for all others SNI find in CN/SAN in mycert.pem
othercert.pem alpn http/1.1
…
This will greatly simplify the SSL configuration in a non-homogenous
environment (for my use case, it would be).
What do you think?
And: what are the useful (and eligible) SSL options for this configuration per
certificate/SNI.
Manu
