I have been wrestling with Haproxy for a few hours now and I am probably missing something in my limited know-how.
I have two servers (ha1.domain.com and ha2.domain.com), both with keepalived and haproxy, that should manage failover between two other servers (mail1.domain.com and mail2.domain.com). There is one VIP (domain mailserver.domain.com).
When I connect to the public domain via browser I get an error that the certificate could not be verified as the domain (mailserver.domain.com) doesn't match the domain in the certificate (either mail1.domain.com or mail2.domain.com). What is the best strategy to avoid this issue?
My haproxy config:
global
log 127.0.0.1 local0
log 127.0.0.1 local1 debug
maxconn 45000 # Total Max Connections.
daemon
nbproc 1 # Number of processing cores.
defaults
timeout server 86400000
timeout connect 86400000
timeout client 86400000
timeout queue 1000s
# [HTTP Site Configuration]
listen http_web xxx.yyy.zzz.aaa:80
bind *:80
#bind *:443 ssl crt /etc/ssl/iredmail.org/iredmail.org.pem
bind *:443 ssl crt /etc/haproxy/certs/ha2.domain.com.pem
redirect scheme https if !{ ssl_fc }
mode http
balance roundrobin # Load Balancing algorithm
option httpchk
option forwardfor
cookie SRVNAME insert
server mail1 bbb.ccc.ddd.eee:80 weight 1 maxconn 512 cookie SA check
server mail2 bbb.ccc.fff.ggg:80 weight 1 maxconn 512 cookie SB check
# [HTTPS Site Configuration]
listen https_web xxx.yyy.zzz.aaa:443
mode tcp
balance source# Load Balancing algorithm
reqadd X-Forwarded-Proto:\ http
server mail1 bbb.ccc.ddd.eee:443 weight 1 maxconn 512 check
server mail2 bbb.ccc.fff.ggg:443 weight 1 maxconn 512 check
# Reporting
listen stats
bind :9000
mode http
# Enable statistics
stats enable
# Hide HAPRoxy version, a necessity for any public-facing site
stats hide-version
# Show text in authentication popup
stats realm Authorization
# URI of the stats page: localhost:9000/haproxy_stats
stats uri /haproxy_stats
# Set a username and password
stats auth Username:Password
Thanks
