0

I have a working haproxy setup that is doing TLS termination for multiple tenant domains.

Today I added a wildcard cert (call it *.foo.com) to my cert pool. haproxy is properly picking this cert when a browser goes to https://fnord.foo.com.

However, for whatever dumb reason, this user wants their primary domain to be https://www.fnord.foo.com. When the wildcard cert is installed directly in IIS, with a dedicated IP binding, and the URL is attempted bypassing haproxy, this works, even though I don't think it should according to the strict definition of SSL processing (see this answer ). Nevertheless, browsers accept a prefixed www, even if they shouldn't, and to make this client happy, we'd like it to happen anyway. Is there any way to tell haproxy to use that specific cert when the incoming domain is www.fnord.foo.com?

Community
  • 1
Ross Presser
  • 443
  • 6
  • 21

1 Answers1

1

Not sure the certificate will cover that domain but you could try loading that cert as a default like so

bind 0.0.0.0:443 ssl crt /etc/haproxy/wildcard.foo.com.pem crt /etc/haproxy/other.certs.d

This way any non SNI matched requests will fall back to /etc/haproxy/wildcard.foo.com.pem cert as per

https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt

The other way you could try forcing it is by using sni filters as per

https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt-list

Andrey
  • 548
  • 2
  • 8
  • 1
    Interesting information. Using it as a fallback is no good because we support many, many clients with different certs on the same IP. The SNI filter looks interesting but there is no info in the manual on what an SNI filter even looks like. Can you show me or link me to an example? – Ross Presser Feb 19 '16 at 14:46