0

I am a beginner in HAProxy and I was trying to achieve this. I have 4 VMs, one having HAProxy server and Apache httpd server in other 3 VMs. I have test.html on all three servers. When user hit https://haproxy_ip/test.html, the file may be delivered from any server.

I have generated separate SSL certificate in each VM (by referring these urls How to enable https on Apache CentOS - TechRepublic and https://www.suse.com/support/kb/doc/?id=000018152) and copied the pem and key files to HAProxy VM. Now, all three pem files are available under /etc/haproxy/ directory.

I have configured ssl crt-list to pick corresponding SSL certificate by HAProxy, and below is how crt-list.txt looks like;

/etc/haproxy/testserver1.pem testserver1
/etc/haproxy/testserver2.pem testserver2
/etc/haproxy/testserver3.pem testserver3

What I am looking for is, when user request https://haproxy_ip/test.html in browser, the certificate that need to be delivered each time should be based on the backend server picked by HAProxy.

Is this possible / supported by HAProxy? If yes, can somebody please help me?

Below is my current configuration;

global
    maxconn 50000
    log /dev/log local0
    log /dev/log local1 notice
    user root
    group root
    stats timeout 30s
    nbproc 2
    cpu-map auto:1/1-4 0-3
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
    daemon

defaults
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend ft_http
    bind :80
    mode http
    default_backend bk_http

frontend ft_https
    bind :443 ssl crt-list /etc/haproxy/crt-list.txt
    mode tcp
    default_backend bk_https

backend bk_http
    mode http
    balance roundrobin
    default-server inter 1s
    server testserver1 192.168.0.1:80 check
    server testserver2 192.168.0.2:80 check
    server testserver3 192.168.0.3:80 check

backend bk_https
    mode tcp
    balance roundrobin
    stick-table type ip size 200k expire 1m
    default-server inter 1s
    server testserver1 192.168.0.1:443 check
    server testserver2 192.168.0.2:443 check
    server testserver3 192.168.0.3:443 check

Thanks.

EDIT

Let me explain the scenario why I am trying to achieve this;

Say, I have two customers (two different domains) and they put DNS entries CNAME, so that when user enter https://myapp.customer1.com or https://myapp.customer2.com in browser, it redirects to my server, where I have HAProxy in place. Also, lets say the customer is not storing / not willing to store subdomain certificate in his server due to some reason. In that case, I need to store and maintain those certificates in my server. Since both customers use different server, I cant use wildcard certificates. Also, lets say I don’t prefer SANS either.

In this scenario, how can I deliver corresponding certificate (according to domain user requested) from my server using HAProxy? Hope you understand what I am trying to achieve.

Alfred
  • 111
  • 3
  • 1
    What are you attempting to do? If you are terminating the HTTPS connection on the proxy then you only need one certificate. That certificate protects the single connection between the client and the proxy. If you also need to protect the connection to the back-end, then those backends have the certificates and not the proxy (which becomes the client). Alternatively, configure the proxy to use TLS passthrough, so that the only certs required are the three on the back-end servers. – garethTheRed Mar 24 '21 at 19:35
  • hi @garethTheRed let me explain the use case. Imagine I have two customers (two domains) and they put CNAME in their DNS and they redirect to my HAProxy. They dont have certificates at their end and I need to deliver them from my side. What can be done in that case? – Alfred Mar 25 '21 at 05:18
  • If you've two domains, then add both to the Subject Alternative Name extension in the proxy's single certificate. This is scalable, in that the extension can have multiple DNS names. However, it could become unwieldly if there are hundreds or thousands of domain names I suppose. The risk with your proposed solution is that you have all your customers' certificates and private keys on one proxy. If that proxy is compromised, all your customers loose their private key and those certificates will require revoking and replacing. Minimize the risk by storing your keys in a HSM maybe? – garethTheRed Mar 25 '21 at 12:44
  • @garethTheRed your point is very valid. The proxy can become single point of failure, but I am planning to implement a floating IP and multiple HAProxy servers. Also, see answer by `HermanB` . Have any idea I can implement this for testing, with 4 VMs? – Alfred Mar 25 '21 at 15:59

1 Answers1

0

You don’t access your HAProxy by its IP-address.

You get a certificate for customer1.example.com and a second certificate for customer2.example.com

You configure the DNS entries (or when you’re testing only in your hosts file) so that customer2.example.com and customer1.example.com point to the IP-address of your HAProxy

You configure both the certificates for customer1.example.com and for customer2.example.com in the crt-list

SNI will ensure that when you request https://customer1.example.com the certificate for customer1.example.com is used and when you request https://customer2.example.com the certificate for customer2.example.com

When you request https://ip-address you don’t have a certificate that is valid. I explained that before : Why browser is always showing certificate of only one server even if multiple certificates are configured in HAProxy?

If you want the web browser to know which backend it is connected to, you don’t do that with a certificate in the front-end , you do that by setting for example a header and/or cookie

Bob
  • 5,805
  • 7
  • 25
  • Thanks for your reply. In that case, do my configuration looks correct? Do you find anything need to be added / removed / modified? – Alfred Mar 25 '21 at 06:19
  • Though, when generating certs yourself, you can in fact add "IP:" settings additionally to or instead of your "DNS:" subject alternative names and archieve trustedness while using IP-addresses. DigiCert also signs CSR with such IP-addresses set, so I would assume multiple public CA's do allow for that. – M. Schmidt May 13 '21 at 17:25