47

My haproxy instance serves 2 domains (mostly to avoid XSS on the main site).

The rules look something like this

bind :443 ssl crt /etc/ssl/haproxy.pem

acl is_static   hdr_end(Host) -i example.com
acl is_api      hdr_end(Host) -i api.example.com
acl is_files    hdr_end(Host) -i example.io

redirect scheme https if !{ ssl_fc } is_static is_api

Now SSL uses /etc/ssl/haproxy.pem as the default cert, which is the certificate for example.com and not example.io.

How can I specify certs for multiple domain names?

3 Answers3

81

You can concatenate all your certificates into files say haproxy1.pem and haproxy2.pem or you can specify a directory containing all your pem files.

cat cert1.pem key1.pem > haproxy1.pem 
cat cert2.pem key2.pem > haproxy2.pem

As per the haproxy docs

Then on the config use something like this:

defaults
  log 127.0.0.1 local0
  option tcplog

frontend ft_test
  mode http
  bind 0.0.0.0:443 ssl crt /certs/haproxy1.pem crt /certs/haproxy2.pem 
  use_backend bk_cert1 if { ssl_fc_sni my.example.com } # content switching based on SNI
  use_backend bk_cert2 if { ssl_fc_sni my.example.org } # content switching based on SNI

backend bk_cert1
  mode http
  server srv1 <ip-address2>:80

backend bk_cert2
  mode http
  server srv2 <ip-address3>:80

Read more about SNI

Keep in mind that SSL support is in development staging for haproxy and also that it apparently has considerable performance hit.

There are other solutions talked about in this thread: https://stackoverflow.com/questions/10684484/haproxy-with-multiple-https-sites

Hope this helps.

Rico
  • 2,185
  • 18
  • 19
  • Is the cert/key order important when concatenating? –  Dec 12 '13 at 18:39
  • I don't think it should matter, for example if you specify a directory the order is arbitrary. I would make sure that if you include a cert then you include the matching key. – Rico Dec 12 '13 at 19:02
  • I set it up the way you suggested, but haproxy just keeps using the first cert for every domain :( –  Dec 12 '13 at 19:59
  • 1
    Also tried `crt-list` with the same result –  Dec 12 '13 at 20:08
  • Check the edits – Rico Dec 12 '13 at 20:17
  • 1
    Aaaah yes! That did the trick! –  Dec 12 '13 at 20:33
  • Concatenating didn't work for me. What worked for me was to specify every certificate separately: bind 0.0.0.0:443 ssl crt domain1.pem crt domain2.pem – arnuschky Sep 25 '14 at 09:30
  • works like a harm! saved me getting additional public facing IP. TA – Pavel K Jul 13 '16 at 12:51
  • Specifying multiple certificates like this with bind worked as described above (haproxy 1.7.9). My bundles are domain cert > intermediate certs (when I have them) > ca cert then the private key (in that order). I seem to recall running into a problem if the certs were not in the right order in a bundle, but can't actually recall if that was for HA proxy or when configuring another service. – Iain Collins Nov 20 '17 at 12:45
24

No need to concat or specify a list of certificates anymore, just specify a folder:

frontend public
    bind *:443 ssl crt /etc/haproxy/ssl/

Note: make sure the folder isn't empty and valid PEM files are present, otherwise HAProxy will not run.

Tim
  • 370
  • 2
  • 7
  • 2
    Also make sure you only have one certificate in there per domain. You can't leave an old certificate in there alongside a renewed one and assume HAProxy will pick the renewed one. (I just found this out the hard way.) – reinierpost Jan 04 '21 at 21:09
  • Note that the correct certificate is determined using SNI (Server Name Indication). If the client doesn't support this feature, the default (i.e. alphabetically first) file in the folder is used. Therefore it may be useful to take this into account when naming the files in this folder. – m7913d Dec 27 '21 at 11:49
10

maybe you could check this too:

/etc/ssl/private/crt-list.txt:

/etc/ssl/private/mydomain.pem
/etc/ssl/private/myotherdomain.pem

haproxy.cfg:

frontend https-in:
  bind *:443 ssl crt-list /etc/ssl/private/crt-list.txt

refs: https://github.com/msimerson/Mail-Toaster-6/wiki/How-to-for-Multiple-Domain-SSL-Certificates-with-HaProxy

zx1986
  • 201
  • 3
  • 5
  • This is easier to maintain and useful when bumping into the issue of too many crt's in one line: `[ALERT] [...] : parsing [/etc/haproxy/haproxy.cfg:n]: line too long, truncating at word x, position y:` – lainatnavi Aug 20 '20 at 12:42