seems, you are talking about SNI routing. i.e. L7 routing based on server name extension sent in SSL Client Helo.
will the following work for you ? https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ чт, 3 сент. 2020 г. в 00:42, Tom Browder <tom.brow...@gmail.com>: > I'm trying to cobble together the following https data flow: > > <== public internet ==> > > A. a single IPv4 Apache server with multiple virtual hosts > identified by SNI > > 1. for each virtual host with its unique domain: > > a. use Apache's managed domain capability to get > and keep current a Letsencrypt TLS cert > b. have a reverse proxy to a backend TLS server (with > passthrough TLS) identified by a unique port number > on the local host > > <== reverse proxy ==> > > 2. for each unique backend server > > a. respond to public domain https requests > b. serve both static and dynamic content back > to the public client > > Notes: > > 1. Each virtual host is defined in a single Apache macro. > 2. I have Apache running apparently successfully up to the > ProxyPass and ProxyReverse point but cannot get a > valid connection. > 3. I can get the scenario to work in a non-TLS environment. > 4. The solutions I've seen with Nginx and Caddy require > wildcard certs or unique IPs, neither of which will > work for me in my current understanding of Apache. > > Questions: > > 1. Is this TLS scenario theoretically possible? > 2. If so, can HAProxy help make it happen? > 3. What are my options for the backend server? > I have seen very little discussion of that > except in vague terms of a "dynamic > server" (for which I plan to use a Raku > language server called Cro). > > Thanks for any help. > > Best regards, > > -Tom > >
