Haproxy: 2 domains with LetsEncrypt certificates on a single Linux machine

Hi,
I’m hosting two domains on a single web server (Linode - Ubuntu 16.04). For the routing and load balancing i’m using Haproxy 1.6.3.

I’m trying the following:

• for each domain, a.com and b.com use the generated LetsEncrypt certificates;
• when an http request arrives, redirect it to https http://a.com -> https://a.com; same for b.com ;

That’s it. I’ve been trying the configuration below but for one domain b.com, haproxy always replies with the server associated to the other a.com. I have tried various strategies for the domain matching with no success (hdr(host), hdr_end(host), url_dom).

I have used certbot to generate the certificates for each domain and I have also concatenated the full and private key into a single pem file for both.

Can you please tell me what am I doing wrong? Below is the haproxy.cfg.
The file haproxy_domains_list.txt has 2 lines:
path/to/a.pem a.com
path/to/b.pem b.com

Thank you !

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private
        lua-load /var/lib/haproxy/acme-http01-webroot.lua

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3
        tune.ssl.default-dh-param 4096

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option forwardfor
        option http-server-close
        timeout connect 10000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
        bind *:80
        mode http
        acl url_acme_http01 path_beg /.well-known/acme-challenge/
        http-request use-service lua.acme-http01 if METH_GET url_acme_http01

        reqadd X-Forwarded-Proto:\ http
        redirect scheme https code 301 if !{ ssl_fc }

frontend https
        bind *:443 ssl crt-list /etc/letsencrypt/haproxy_domains_list.txt
        mode http
        reqadd X-Forwarded-Proto:\ https

        acl host_a hdr_end(host) -i a.com
        acl host_b hdr_end(host) -i b.com

        use_backend s_b if host_b
        use_backend s_a if host_a


backend s_a
        reqadd X-Forwarded-Proto:\ https
        balance leastconn
        option httpclose
        option forwardfor
        server node1 80.80.80.80:10100

backend s_b
        reqadd X-Forwarded-Proto:\ https
        balance leastconn
        option httpclose
        option forwardfor
        server node1 80.80.80.80:10200

What webserver(s) are you using underneath HAProxy?

Does your haproxy config compile correctly and can you show me the output of

haproxy -c -V -f /path/to/your/haproxy.cfg

Alternatively to that, have you verified that your webserver(s) configuration itself is correct? Do your webserver(s) support SNI? Enhanced SSL Load Balancing with Server Name Indication (SNI)

The two servers run on Scala Playframework 2.5.3 on ports a: 10100 and b: 10200 . There is a way to put the scripts into the java keychain store but I tried to avoid doing that by using the haproxy config.

I guess one problem starts with the fact that both domains point to the same server to the same IP address. For some reason the header based routing doesn't seem to read the domain correctly.

They way I was observing the error was based on the certificates the server replied with. The certificates were always the certificates of a.com while the backends were sometimes correct.

The compilation yields

haproxy -c -V -f /etc/haproxy/haproxy.cfg
Configuration file is valid

I'm looking into sni now.

Fixed. Updating to the just release version 1.7 fixed the issue.
Thanks,
Victor

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.