Wildcard SSL certificate SNI routing

I am a beginner with HAProxy.

I am using a mixed method with TCP and HTTP mode, so I can use a VPN server and web servers on TCP port 443.

Everything seems to be working for the most part, but I’m encountering an issue with SSL certificates, or at least, I think that’s the problem.

When I use a separate SSL certificate for each domain, everything functions as expected. However, when I switch to a wildcard SSL certificate (*.domain.com), I get unexpected behavior: it redirects me to the first backend I accessed.

When I first open sub1.domain.com, the correct website loads. However, if I open sub2.domain.com, sub3.domain.com, or sub4.domain.com in separate tabs within the same browser, the same backend as sub1.domain.com is displayed for all of them. If I wait for a while and then click the refresh button, the correct website is displayed.

If I close and reopen the browser, I can connect to the specific subdomain without any issues. However, when I try to visit a different subdomain, it redirects me to the same backend I initially accessed - unless I either don’t close the browser or wait for a while.

It seems like the server is not properly handling SNI checks.

Maybe someone knows if I need to configure anything else to make it work correctly with a wildcard SSL certificate? As I mentioned, no issues are detected if I use a separate SSL certificate for each subdomain.

here is my config:

frontend tls
bind *:443
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 } or !{ req_ssl_hello_type 1 }
use_backend tcp_to_https if { req.ssl_sni -i sub1.domain.com }
use_backend tcp_to_https if { req.ssl_sni -i sub2.domain.com }
use_backend tcp_to_https if { req.ssl_sni -i sub3.domain.com }
use_backend tcp_to_https if { req.ssl_sni -i sub4.domain.com }
default_backend vpnserver

frontend https
bind 127.0.0.1:8443 accept-proxy ssl crt /etc/ssl/private/
http-request redirect scheme https unless { ssl_fc }
http-request set-header X-Forwarded-Proto https
http-response set-header Strict-Transport-Security “max-age=16000000; includeSubDomains; preload;”
option forwardfor
use_backend sub1 if { ssl_fc_sni -i sub1.domain.com }
use_backend sub2 if { ssl_fc_sni -i sub2.domain.com }
use_backend sub3 if { ssl_fc_sni -i sub3.domain.com }
use_backend sub4 if { ssl_fc_sni -i sub4.domain.com }

backend tcp_to_https
mode tcp
server https 127.0.0.1:8443 check send-proxy-v2

backend vpnserver
mode tcp
option tcp-check
timeout connect 30s
timeout server 30s
retries 3
server vpn 172.25.254.2:38443

backend sub1
mode http
server node01 192.168.10.9:38701 weight 1 maxconn 8192 check ssl verify none

backend sub2
mode http
server node01 192.168.10.243:5002

backend sub3
mode http
server node01 192.168.10.243:5003

backend sub4
mode http
server node01 192.168.10.243:5009

2 posts - 2 participants

Read full topic