Apache multiple SSL VirtualHost single IP and port

I’ve been struggling with something, and want to make sure I’m not missing something simple. I don’t think this can be done, but would like confirmation.

I have one Apache server with multiple VirtualHost configs:

<VirtualHost *:443>
    ServerName api-test-haproxy.neatoserver.lan

    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/api-test-haproxy.neatoserver.lan.crt
    SSLCertificateKeyFile /etc/pki/tls/private/api-test-haproxy.neatoserver.lan.key

    DocumentRoot /var/www/api-test-haproxy.neatoserver.lan
    <Directory /var/www/api-test-haproxy.neatoserver.lan>
        Require all granted
        AllowOverride All
        Options FollowSymLinks MultiViews
    </Directory>
</VirtualHost>

<VirtualHost *:443>
    ServerName api2-test-haproxy.neatoserver.lan

    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/api2-test-haproxy.neatoserver.lan.crt
    SSLCertificateKeyFile /etc/pki/tls/private/api2-test-haproxy.neatoserver.lan.key

    DocumentRoot /var/www/api2-test-haproxy.neatoserver.lan
    <Directory /var/www/api2-test-haproxy.neatoserver.lan>
        Require all granted
        AllowOverride All
        Options FollowSymLinks MultiViews
    </Directory>
</VirtualHost>

Going to https://api-test-haproxy.neatoserver.lan shows the proper api-test site and files, and going to https://api2-test-haproxy.neatoserver.lan shows the other site and files. All good on the Apache side of things.

Now I want to bring HAProxy into the mix, and get another server for HA-ing the sites. Update my DNS names to point the CNAME to the HAProxy VIP, and configure HAProxy like so:

defaults
    mode                    http
    balance                 source
    log                     global
    option                  httplog

frontend front_https
    bind *:443 ssl crt /etc/haproxy/certs/
    option forwardfor except 127.0.0.0/8
    use_backend back_api if { ssl_fc_sni api-test.neatoserver.lan }
    use_backend back_api2 if { ssl_fc_sni api2-test.neatoserver.lan }

backend back_api
    server api-01 api-01.neatoserver.lan:443 check ssl verify none
    server api-02 api-02.neatoserver.lan:443 backup check ssl verify none

backend back_api2
    server api2-01 api-01.neatoserver.lan:443 check ssl verify none
    server api2-02 api-02.neatoserver.lan:443 backup check ssl verify none

Going to https://api-test-haproxy.neatoserver.lan still shows the proper api-test site and files for api, but now going to https://api2-test-haproxy.neatoserver.lan is broken and incorrectly shows the sites and files for api-test-haproxy.neatoserver.lan. It would appear that HAProxy doesn’t pass SNI to the proper VirtualHost.

Only option I’ve found to get this to work through HAProxy, is defining a separate port for the VirtualHost(s) config. Like this:

Listen 8443
<VirtualHost *:8443>
    ServerName api-test-haproxy.neatoserver.lan

Listen 8444
<VirtualHost *:8444>
    ServerName api2-test-haproxy.neatoserver.lan

And then updating HAProxy to use the separate ports for the specified sites:

backend back_api
    server api-01 api-01.neatoserver.lan:8443 check ssl verify none
    server api-02 api-02.neatoserver.lan:8443 backup check ssl verify none

backend back_api2
    server api2-01 api-01.neatoserver.lan:8444 check ssl verify none
    server api2-02 api-02.neatoserver.lan:8444 backup check ssl verify none

Is this correct? Is this the only way to get HAProxy to work with multiple VirtualHost on the same server?

Thanks!
Danny

1 post - 1 participant

Read full topic