Hello Dave,
On 2 March 2018 at 01:09, Dave Cottlehuber <d...@skunkwerks.at> wrote: > I have 2 TLS cert bundles that I'd like to serve off haproxy, using a single > IP. Both certs have multiple SANs in them. > > - our main production site: api,beta,www.example.com using EV cert > - a lets-encrypt cert bundle for old DNS names that we only need to redirect > https: back to the main site > > I've followed > https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ > and updated it a bit. Does this look sensible? is there a simpler way to do > this? Yes. You don't need TCP mode and manual SNI matching at all. Haproxy will do all those things for your automatically. The article is specifically about content switching TCP payload based on SNI, but that's not you usecase (not of you want a simple and build-in solution). The point is: you can specify multiple certificate or even directories with the "crt" keyword. frontend all bind :80 bind [::1]:443 ssl crt /usr/local/etc/ssl/keys/example.com.pem crt /usr/local/etc/ssl/keys/letsencrypt.example.com.pem # redirect letsencrypt requests acl url_acme path_beg /.well-known/acme-challenge/ use_backend acme_backend if url_acme # redirect traffic to beta or prod jail as required acl iwmn_prod hdr(host) example.com api.example.com acl iwmn_beta hdr(host) beta.example.com # redirect main site urls acl valid_host hdr(host) example.com api.example.com beta.example.com http-request redirect code 301 location https://example.com%[capture.req.uri] unless valid_host use_backend prod_backend if iwmn_prod default_backend imsorry_backend # ... backends cheers, lukas