0

I am working on a multi-tenant web application that is hosted on AWS. It is written in Ruby on Rails, and each app server runs Nginx. We have an EC2 instance that runs HAProxy. We originally set up HAProxy because some of our customers could only set up A records on their root domain (pointing to a static IP), and ELB only offers dynamic IPs.

So our requests look like: HAProxy => Nginx => Rails

Our customers can configure a custom domain, so they can access our service via their own domain (through A or CNAME DNS records.) We will need to support around 1,000 domains.

I was planning to write a script that would request SSL certificates from LetsEncrypt for all of our custom domains. Then I would configure either Nginx or HAProxy to use these SSL certificates (they can use the right one based on SNI).

Would it better/easier to terminate SSL at HAProxy or Nginx? Will loading 1,000 SSL certificates impact performance?

Finally, are there any open-source projects that can accomplish some or all of what I'm looking for?

ndbroadbent
  • 310
  • 2
  • 13
  • HAProxy doesn't really even need to be "configured to use" them... you just put each cert in a file along with its chain and key and put these all in a directory referenced in config, and do a reload. It automatically uses a cert to match the SNI. Not sure about Nginx. – Michael - sqlbot Jan 27 '17 at 00:08
  • Nginx needs the certificate filename configured for each server, though you can use SNI to reduce the number of certificates. Let's Encrypt does max 100 per domains per certificate according to a quick search. Based on what @Michael-sqlbot says I think HAProxy is better in this case. – Tim Jan 27 '17 at 01:01
  • Thanks @Michael, that does sound like the easiest way to go. It shouldn't be too hard to write a script that downloads certs from LetsEncrypt and reloads HAProxy. – ndbroadbent Jan 27 '17 at 07:37
  • ACMETool is a great Let's Encrypt client : https://github.com/hlandau/acme – Tim Jan 27 '17 at 19:05

0 Answers0