I need to configure HAProxy with two different SSL-Certificates
- www.example.com
- api.example.com
Now I learned from a post on serverfault ( Configure multiple SSL certificates in Haproxy ) how to use 2 certificates, however the server continues to use the first certificate mentioned for both domains.
Config:
frontend apache-https
bind 192.168.56.150:443 ssl crt /certs/crt1.pem crt /certs/cert2.pem
reqadd X-Forwarded-Proto:\ https
default_backend apache-http
backend apache-http
redirect scheme https if { hdr(Host) -i www.example.com } !{ ssl_fc }
redirect scheme https if { hdr(Host) -i api.example.com } !{ ssl_fc }
...
How to tell HAProxy which certificate to use depending on the URL?
Full config:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048 // better with 2048 but more processor intensive
defaults
log global
mode http
option tcplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
frontend apache-http
bind 0.0.0.0:80
mode http
option http-server-close # needed for forwardfor
option forwardfor # forward IP Address of client
reqadd X-Forwarded-Proto:\ http
default_backend apache-http
stats enable
frontend apache-https
bind 0.0.0.0:443 ssl crt cer1.pem cert2.pem
reqadd X-Forwarded-Proto:\ https
default_backend apache-http
backend apache-http
redirect scheme https if { hdr(Host) -i db.example.com } !{ ssl_fc }
redirect scheme https if { hdr(Host) -i api2.example.com } !{ ssl_fc }
balance roundrobin
cookie SERVERID insert indirect nocache
server www-1 10.0.0.101:80 cookie S1 check
server www-2 10.0.0.102:80 cookie S2 check
server www-3 10.0.0.103:80 cookie S3 check