I have 4 servers:
- proxy_server,
- $BK_SERVER_001,
- $BK_SERVER_002 and
- $BK_SERVER_003
The "proxy_server" only has an HAProxy enabled service with this configuration: (please look at the rows marked as OPTION 1 & OPTION 2)
# StackOverflow
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
timeout connect 10s
timeout client 30s
timeout server 30s
log global
mode http
option httplog
option dontlognull
# ***************** port 80 defs ************
frontend http_in
mode http
option httplog
bind *:80
option forwardfor
acl host_goose hdr(host) -i www.example.edu
redirect scheme https code 301 if !host_goose
use_backend http_goose if host_goose
backend http_goose
mode http
server sonar $BK_SERVER_003:8080
# ***************** port 443 defs ************
frontend https_in
mode tcp
option tcplog
# With this one, all works except sonar (OPTION 1)
# bind *:443
# With this one, only works sonar (OPTION 2)
bind *:443 ssl crt sonar.pem
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if tls
acl host_server001 req.ssl_sni -i opengrok.ci.example.edu
acl host_server002 req.ssl_sni -i gitlab.ci.example.edu
acl host_server003 req.ssl_sni -i jenkins.ci.example.edu
acl host_server004 req.ssl_sni -i nexus.ci.example.edu
acl host_server005 req.ssl_sni -i rancher.ci.example.edu
acl host_server006 req.ssl_sni -i reports.ci.example.edu
acl host_server007 hdr(host) -i sonar.ci.example.edu
use_backend https_server001 if host_server001
use_backend https_server002 if host_server002
use_backend https_server003 if host_server003
use_backend https_server004 if host_server004
use_backend https_server005 if host_server005
use_backend https_server006 if host_server006
use_backend https_server007 if host_server007
#opengrok
backend https_server001
mode tcp
server server001 $BK_SERVER_001:28443
#gitlab
backend https_server002
mode tcp
server server002 $BK_SERVER_002:10443
#jenkins
backend https_server003
mode tcp
server server003 $BK_SERVER_001:7443
#nexus
backend https_server004
mode tcp
server server004 $BK_SERVER_001:8443
#rancher
backend https_server005
mode tcp
server server005 $BK_SERVER_002:9443
#reports
backend https_server006
mode tcp
server server006 $BK_SERVER_001:4443
#sonar
backend https_server007
mode http
server server007 $BK_SERVER_001:9000
For OPTION 2, HAProxy successfully publish the service "sonar" using the given certificate, however, the rest of services are trying to use that certificate. Since the other services are already SSL enabled in their corresponding backends, I do NOT have their certificates.
If I use OPTION 1, HAProxy successfully publish all the already-ssl-backend services except "sonar" service, because it needs a certificate that I have only at the proxy_server level.
Is it possible to have all the services secured with SSL if (like I said) some of them are already secured but some others will be secured by the HAProxy with the only one SSL that I have access for "sonar" service? How?
Please also note that I do not have ssh access to the $BK_SERVER_xxx servers and that I have all the DNS pointing their names to "proxy_server".
