Hi,
I have a few services I like to serve with HaProxy over 443.
The question is now with the TLS certificates. Normally I would issue individual certificates for each service. If I do this, I could have different frontends on different IPs listening on 443, but that seems impractical.
What I think I should do is the following: one TLS frontend (443) on a single IP without SSL termination, that based on SNI routes to other TLS frontends that do terminate SSL (listening on 127.0.0.1:443) and then those go back to the backend servers.
So kinda like this:
frontend master-tls
bind 10.145.50.107:443
mode tcp
description Master-TLS
option tcplog
timeout client 3600s
use_backend app01-tls { req.ssl_sni app01.company.net }
use_backend app02-tls { req.ssl_sni app02.company.net }
frontend app01-tls
bind 127.0.0.1:443 ssl crt /root/.vault/app01.company.net.pem ciphers ECDHE-RSA-AES256-SHA:-RC4-SHA:HIGH:!MD5:!aNULL:!EDH
mode tcp
description Application 1 (TLS)
option tcplog
default_backend app01-backend-http
frontend app02-tls
bind 127.0.0.1:443 ssl crt /root/.vault/app02.company.net.pem ciphers ECDHE-RSA-AES256-SHA:-RC4-SHA:HIGH:!MD5:!aNULL:!EDH
mode tcp
description Application 2 (TLS)
option tcplog
default_backend app01-backend-http
backend app01-backend-http
mode tcp
server app01-server-01 10.0.0.115:80
backend app02-backend-http
mode tcp
server app01-server-01 10.0.0.116:80
Does this make sense and is this the correct approach?
2 posts - 2 participants