how can I use ACL rules in haproxy (1.5dev19) for server multiple hosts with own ssl certificate for each??
I have 3 backends with multiple domains all on one IP address.
nodejs (http/https/ws/wss)
nginx (http/https) (reverse proxy for apache now)
apache (http)
I want to put haproxy before them and make it serve ssl connections.
is it possible with haproxy acl or I have to use something like stud in front of haproxy?
something like:
frontend http-in
bind *:80
acl host_domain1 hdr(host) -i domain1.lt
use_backend nginx_web_http if host_domain1
frontend http-in
bind *:443
acl host_domain1 hdr(host) -i domain1.lt
use_backend nginx_web_https if host_domain1
backend nginx_web_https
mode http
ssl crt /etc/ssl/domain1/ crt ./certs/ prefer-server-cipher
option httplog
option httpclose
server nginx 192.168.2.101:8080 check
backend nginx_web_http
mode http
option httplog
option httpclose
server nginx 192.168.2.101:8080 check
Best Answer
I don't think haproxy will allow you to specify a per-backend SSL certificate for each incoming request, rather you'd have to have a combined certificate that allows for multiple domain names (SNI).
Here's a guide on using SNI with haproxy, where all the certificates are actually hosted by the haproxy server, not the backend instances: https://trick77.com/haproxy-and-sni-based-ssl-offloading-with-intermediate-ca/
Also see the example at the end of this section: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-use-server