I have 2 TLS cert bundles that I'd like to serve off haproxy, using a single IP. Both certs have multiple SANs in them.
- our main production site: api,beta,www.example.com using EV cert - a lets-encrypt cert bundle for old DNS names that we only need to redirect https: back to the main site I've followed https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ and updated it a bit. Does this look sensible? is there a simpler way to do this? # frontend example_sniffer bind 1.2.3.4:443 bind [1:2:3::4]:443 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req.ssl_hello_type 1 } acl redirect req.ssl_sni -i www.example.com.au blog.example.com use_backend example_tls_forwarder if redirect default_backend example_http_https_be backend example_http_https_be mode tcp server example_fe [::1]:10443 backend example_tls_forwarder mode tcp server example_fe [::1]:10444 frontend example_http_https bind [::1]:80 bind [::1]:10443 ssl crt /usr/local/etc/ssl/keys/example.com.pem bind [::1]:10444 ssl crt /usr/local/etc/ssl/keys/letsencrypt.example.com.pem # redirect letsencrypt requests acl url_acme path_beg /.well-known/acme-challenge/ use_backend acme_backend if url_acme # redirect traffic to beta or prod jail as required acl iwmn_prod hdr(host) example.com api.example.com acl iwmn_beta hdr(host) beta.example.com # redirect main site urls acl valid_host hdr(host) example.com api.example.com beta.example.com http-request redirect code 301 location https://example.com%[capture.req.uri] unless valid_host use_backend prod_backend if iwmn_prod default_backend imsorry_backend # ... backends thanks Dave
