Hi Lukas,
probably you're saying something like this:
frontend fe_1
bind *:443
...
acl sub_is_1 req_ssl_sni -i wwww.dom1.com
acl sub_is_2 req_ssl_sni -i wwww.dom2.com
use_backend be_1 if sub_is_1
use_backend be_2 if sub_is_2
backend be_1
mode tcp
server bridge_be1 127.0.0.1:18188
backend be_2
mode tcp
server bridge_be2 127.0.0.1:19199
frontend local_fe_1
bind *:18188 ssl crt /etc/cert.pem
mode http
frontend local_fe2
bind *:19199 ssl crt /etc/cert.pem ca-file /etc/ca.pem verify optional
mode http
But :
1. I don't know if this solution can have negative impact in
performance or other complex configuration
2. Emmanuel Hocdet <[email protected]> add a patch in version 1.8dev0 to
manage such case... I'll test Emmanuel solution
see:
http://www.haproxy.org/download/1.8/src/snapshot/CHANGELOG-1.8-dev0-20170114
-> MAJOR: ssl: bind configuration per certificat
-----Original Message-----
From: Lukas Tribus [mailto:[email protected]]
Sent: sabato 25 febbraio 2017 00.07
To: mlist <[email protected]>; '[email protected]' <[email protected]>
Cc: Roberto Cazzato <[email protected]>
Subject: Re: Client Certificates need dedicated IP:443 bind
Hello,
Am 24.02.2017 um 09:04 schrieb mlist:
>
> Hi,
>
> We configured haproxy for client certificates:
>
> bind <IP>:443 ssl crt <path> ca-file <path> verify optional
>
> Configuring in this way (at bind stage), however, haproxy always ask
> client certificate
>
> if present in the certificate store - for all domain, for all backends.
>
> There is solution so haproxy ask/manage client certificates only for
> specific domain
>
> or other request matching ?
>
> So it is possible to share a bind on <IP>:443 port for mixed backends,
> accepting/requesting
>
> client certificates and other not using client certificates.
>
It is possible, with a not-so-nice but possible workaround:
Put your frontend in tcp mode and content switch based on SNI to a different
SSL terminating second layer frontend.
That way, with a single public IP you can cover all cases.
Lukas
