How to handle multiple HTTPS websites?

@realtebo wrote:

I’m actually proxying (rouiting, what’s the right term?) only 1 web server.

My actual config is that, and it’s my starting point.

frontend web

        mode http
        
        bind *:80
        bind *:443 ssl crt /etc/ssl/private/pihole2.mydomain.tld.pem alpn h2,http/1.1

        reqadd X-Forwarded-Proto:\ https
        redirect scheme https if !{ ssl_fc }

        option forwardfor
        
        acl acl_pihole2 hdr(host) -i pihole2.mydomain.tld
        use_backend pihole2 if acl_pihole2

backend pihole2
        # Why port 80?
        # See https://discourse.haproxy.org/t/whats-the-canonical-way-to-handle-port-80-and-port-443/2903/10?u=realtebo
        server web 192.168.1.228:80 check 

Now I’d like to start adding more backends.

The next backend I must add is for the openvpn machine. In this machine (IP 192.168.225) there is a lighttpd with 2 services, one for users, one for the admin

   https://192.168.1.225 (port 443, automatically) 
   https://192.168.1.225:943/admin (port 943,manually) 

About HAProxy, I cannot simply add

    acl acl_openvpn hdr(host) -i openvpn.mydomain.tld
    use_backend openvpn if acl_openvpn

and

backend openvpn
        server web 192.168.1.225:80 check 

as done for the pihole2 (as you can see in the config file above), because in this case I need to pass-trough the SSL.

HAProxy is marvellious but I see 40 tutorials doing things in 50 different ways, and all of them has an asterisk about what this configuration will break… or it too old (<= v1.5 )

I ask you a suggestion about how to start planning the followin config

• preserve the ability to route based on domain name
• pass-throught the ssl to 2 openvpn services
• but still be optionally able to terminate SSL on the proxy; not required, but usefull
• Note I am using a wildacard certificate, so my life is easier. Only one .pem, no need for crt_list

In short

[ x ] http or https://pihole2.mydomain.tld -> http://192.168.1.228:80 [Done]

[   ] http:// or https://openvpnuser.mydomain.tld -> https://192.168.225:443 - [Todo]
[   ] http:// or https://openvpnadmin.mydomain.tld -> https://192.168.225:943 - [Todo]

I’m reading about change from http to tcp mode and inspecting ssl, but I cannot see 2 tutorials with the same commands, structure, idea or goal. I’m a bit lost.

Posts: 1

Participants: 1

Read full topic