The situation is the following:
HAProxy runs very nicely (amazing piece of software btw. thanks!) for a couple of months already on a load-balancer which has a wildcard DNS entry, let’s say *.foo.org. I have lots of backends and here is the (shortened) configuration:
frontend default
bind *:80
bind *:443 ssl crt /etc/ssl/private/
default_backend no-match
http-request set-header X-Forwarded-For %[src]
http-request redirect scheme https code 301 unless { ssl_fc }
# TODO: this is experimental, to see if ELOG needs it
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
reqadd X-Forwarded-Proto:\ https
option http-server-close
option forwardfor
option httpclose
use_backend stat if { path -i /my-stats }
acl ACL_lets_encrypt path_beg /.well-known/acme-challenge/
use_backend be_lets_encrypt if ACL_lets_encrypt
acl ACL_a.foo.org hdr(host) -i a.foo.org
use_backend be_a.foo.org if ACL_a.foo.org
acl ACL_b.foo.org hdr(host) -i b.foo.org
use_backend be_b.foo.org if ACL_b.foo.org
acl ACL_c.foo.org hdr(host) -i c.foo.org
use_backend be_c.foo.org if ACL_c.foo.org
...
backend no-match
mode http
tcp-request content reject
# http-request deny deny_status 400
Now the problem is that of course *.foo.org is pointing to the load balancer, but if a user types in a unused domain, e.g. q.foo.org (which should match the default backend no-match) the wrong SSL certificate is loaded. For some reason, the SSL certificate which is presented to the user is corresponding to the second last (valid) domain.
I currently don’t have the possibility to obtain a wildcard certificate, so what do you recommend to avoid the load of any certificate in case no ACLs are matching? Or is there a better way to deal with this situation?
1 post - 1 participant