haproxy two applications on the same port with different certificates
I am setting up haproxy. My config is:
frontend bothApps
bind *:9999
mode http
acl prov path_end -i /prov-0.0.1-SNAPSHOT/
acl web path end -i /web-0.0.1-SNAPSHOT/
acl prov1 path_end -i /prov-0.0.1-SNAPSHOT/testAuthenticated.html
acl web1 path_end -i /web-0.0.1-SNAPSHOT/testAuthenticated.html
use_backend focus if prov
use_backend focus if prov1
use_backend cnt if web
use_backend cnt if web1
and it works correctly without https. Now I would like to add https but both apps should call haproxy on port 8443
(https://localhost:8443/prov-0.0.1-SNAPSHOT
and https://localhost:8443/web-0.0.1-SNAPSHOT
) but with different certificates - prov(haproxyPROV.pem
), web(haproxyWEB.pem
). How can I configure it?
I tried:
frontend https
bind *:8443 ssl crt /etc/haproxy/haproxyWEB.pem
mode http
but here I can just have one certificate per port
Solution 1:
You can use more than once certificate on one port:
frontend foo
bind *:8443 ssl crt /path/to/cert1.pem crt /path/to/cert2.pem
Haproxy uses TLS SNI to match certificate to connection (if SNI is not present or not match is found, then first certificate on bind
line is used (cert1.pem in above example)). So to achieve your goal you would have to point two different domain names to this host:port. Like web.example.com
and prov.example.com
pointing to the same host. That's what all those comments are about i guess.
Side note, you use path_end
in your ACLs, like acl prov path_end -i /prov-0.0.1-SNAPSHOT/
, but that will match also /foobar/prov-0.0.1-SNAPSHOT/
and /web-0.0.1-SNAPSHOT/prov-0.0.1-SNAPSHOT/
, which may or may not be what you want. Usually path
or path_beg
are more fitting.