Join Log in
Score:0
Michu93 avatar Server

haproxy two applications on the same port with different certificates

cn flag
Michu93

I am setting up haproxy. My config is:

frontend bothApps
        bind *:9999
        mode http
        acl prov path_end -i /prov-0.0.1-SNAPSHOT/
        acl web path end -i /web-0.0.1-SNAPSHOT/
        acl prov1 path_end -i /prov-0.0.1-SNAPSHOT/testAuthenticated.html
        acl web1 path_end -i /web-0.0.1-SNAPSHOT/testAuthenticated.html
        use_backend focus if prov
        use_backend focus if prov1
        use_backend cnt if web
        use_backend cnt if web1

and it works correctly without https. Now I would like to add https but both apps should call haproxy on port 8443 (https://localhost:8443/prov-0.0.1-SNAPSHOT and https://localhost:8443/web-0.0.1-SNAPSHOT) but with different certificates - prov(haproxyPROV.pem), web(haproxyWEB.pem). How can I configure it?

I tried:

frontend https
        bind *:8443 ssl crt /etc/haproxy/haproxyWEB.pem
        mode http

but here I can just have one certificate per port

273
1 + 7
Michael Hampton avatar
cz flag
Michael Hampton
Just use one certificate.
0
Reply
Michu93 avatar
cn flag
Michu93
@MichaelHampton, I can't use one certificate, I know that would be easy but it is not the case here - I need both certs
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
Eh? Why do you have two certificates for the same subject? Did you omit important details? If so, edit your question.
0
Reply
Michu93 avatar
cn flag
Michu93
@MichaelHampton, clients wish, they want two certificates on reverse proxy shooting to another apps on tomcat.
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
It doesn't make any sense to have two certificates for localhost:8443. What is really going on here?
0
Reply
Michu93 avatar
cn flag
Michu93
@MichaelHampton, in real life it won't be localhost of course. There is server which should accept both /web and /prov on the same port with different certificates. Is it even doable in haproxy?
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
It doesn't make any sense to have two certificates for _any_ name, whether localhost or something else. Haproxy is irrelevant. It is not possible to know which certificate to use.
1
Reply
Score:1
tbielaszewski avatar Server
ng flag
tbielaszewski

You can use more than once certificate on one port:

frontend foo
    bind *:8443 ssl crt /path/to/cert1.pem crt /path/to/cert2.pem

Haproxy uses TLS SNI to match certificate to connection (if SNI is not present or not match is found, then first certificate on bind line is used (cert1.pem in above example)). So to achieve your goal you would have to point two different domain names to this host:port. Like web.example.com and prov.example.com pointing to the same host. That's what all those comments are about i guess.
Side note, you use path_end in your ACLs, like acl prov path_end -i /prov-0.0.1-SNAPSHOT/, but that will match also /foobar/prov-0.0.1-SNAPSHOT/ and /web-0.0.1-SNAPSHOT/prov-0.0.1-SNAPSHOT/, which may or may not be what you want. Usually path or path_beg are more fitting.

0 + 2
Michu93 avatar
cn flag
Michu93
Thank you, @tbielaszewski! However I used @MichaelHampton suggestion and used two frontends with different ports calling the same backend: `frontend web_https bind *:443 ssl crt /etc/haproxy/haproxyWEB.pem use_backend duo frontend prov_https bind *:9999 ssl crt /etc/haproxy/haproxyPROV.pem use_backend duo` but it means that when I have only localhost, I still can't use two certificates on one port, right?
0
Reply
tbielaszewski avatar
ng flag
tbielaszewski
Different ports or differents hostnames (SNI). Tertium non datur.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.