HAProxy with HTTPS (TLS/SSL)Published 2015-8-17
HAProxy supports Servername Indication (SNI) and multiple certificates, but it's picky about how you load the certificate files. I'm going to try to figure that out.
I found the crt and crt-list documentation to be a bit terse, so here's what you need to do if you want haproxy to love you.
Let's say you got your free certificates from Let's Encrypt
# Go into the directory with your certificates pushd /etc/letsencrypt/live/www.example.com/ # create a directory in the haproxy config dir for certs to go sudo mkdir -p /etc/haproxy/certs/ # concatonate the cert, chain, and keypair into a single pem sudo cat cert.pem chain.pem privkey.pem | sudo tee /etc/haproxy/certs/www.example.com.pem
This assumes the following:
cert.pemcontains only your certificate, nothing else
chain.pemcontains whatever intermediate certificate(s) you may have
privkey.pemcontains your private key pair
haproxy.cfg you would add lines like these:
frontend foo_ft_https mode http option httplog bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/www.example.com.pem use_backend foo_bk_https backend foo_bk_https mode http option httplog server foo_srv_sslh 0.0.0.0:3000
crt-list is so simple that it's hard to find an example of its usage.
Luckily I got a reply with a crt-list usage example
almost immediately on the mailing list.
www.example.com /etc/haproxy/certs/www.example.com.pem example.com /etc/haproxy/certs/example.com.pem www.example.net /etc/haproxy/certs/www.example.net.pem example.net /etc/haproxy/certs/example.net.pem
And you would use it like this:
frontend foo_ft_https mode tcp option tcplog bind 0.0.0.0:443 ssl crt-list /etc/haproxy/crt-list.txt use_backend foo_bk_https
inconsistencies between private key and certificate
This is one of the errors you get if you concatonate your files in the wrong order.
[ALERT] 229/003448 (11255) : parsing [/etc/haproxy/haproxy.cfg:78] : 'bind 0.0.0.0:443' : inconsistencies between private key and certificate loaded from PEM file '/etc/haproxy/certs/servers/www.example.com/haproxy.pem'. [ALERT] 229/003448 (11255) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg [ALERT] 229/003448 (11255) : Proxy 'foo_ft_pvpn': no SSL certificate specified for bind '0.0.0.0:443' at [/etc/haproxy/haproxy.cfg:78] (use 'crt'). [ALERT] 229/003448 (11255) : Fatal errors found in configuration.
By AJ ONeal
Did I make your day?
Buy me a coffee