HAproxy – SSL and virtual hosts issues

Apache2clusterhaproxy

HAProxy Config:

frontend https-proxy
      bind *:443 ssl crt /path/to/certs
      default_backend web

backend web
      balance roundrobin
      option httpchk
      option forwardfor
      option httpclose

      server web-srv1 192.168.1.1:80 check inter 5000
      server web-srv2 192.168.1.2:80 check inter 5000

Apache Conf:

<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/example.com
</VirtualHost>

<VirtualHost *:443>
    ServerName test.example.com
    DocumentRoot /var/www/example.com
</VirtualHost>

Shared IP – 192.168.1.3

example.com goes to 192.168.1.3

test.example.com goes to 192.168.1.1

Going to test.example.com and bypassing the proxy, the virtual host works just fine.

Going through the proxy at example.com, for some reason it goes to the default instance in the conf files. (The SSL.conf file is included in the apache conf as well)

Not sure why this is occurring, maybe it's an apache configuration.

Best Answer

Because your backends point to 192.168.1.1:80 and 192.168.1.2:80 , however your Apache vhost is configured to listen on port 443 instead of port 80.

Related Solutions

Ssl – HaProxy – Http and SSL pass through config

What are you using to cipher/decipher the SSL traffic before haproxy ? Stunnel, nginx, apache, something else ?

I suspect it might be related to the lack of "option httpclose" on your port 80, but it's not clear to me why it would cause an issue to only a few visitors.

HAProxy SSL – Configure Multiple SSL Certificates in HAProxy

You can concatenate all your certificates into files say haproxy1.pem and haproxy2.pem or you can specify a directory containing all your pem files.

cat cert1.pem key1.pem > haproxy1.pem 
cat cert2.pem key2.pem > haproxy2.pem

As per the haproxy docs

Then on the config use something like this:

defaults
  log 127.0.0.1 local0
  option tcplog

frontend ft_test
  mode http
  bind 0.0.0.0:443 ssl crt /certs/haproxy1.pem crt /certs/haproxy2.pem 
  use_backend bk_cert1 if { ssl_fc_sni my.example.com } # content switching based on SNI
  use_backend bk_cert2 if { ssl_fc_sni my.example.org } # content switching based on SNI

backend bk_cert1
  mode http
  server srv1 <ip-address2>:80

backend bk_cert2
  mode http
  server srv2 <ip-address3>:80

Best Answer

Related Solutions

Ssl – HaProxy – Http and SSL pass through config

HAProxy SSL – Configure Multiple SSL Certificates in HAProxy

Related Topic