Configure multiple SSL certificates in Haproxy

My haproxy instance serves 2 domains (mostly to avoid XSS on the main site).

The rules look something like this

bind :443 ssl crt /etc/ssl/haproxy.pem

acl is_static   hdr_end(Host) -i
acl is_api      hdr_end(Host) -i
acl is_files    hdr_end(Host) -i

redirect scheme https if !{ ssl_fc } is_static is_api

Now SSL uses /etc/ssl/haproxy.pem as the default cert, which is the certificate for and not

How can I specify certs for multiple domain names?

Answers 3

  • You can concatenate all your certificates into files say haproxy1.pem and haproxy2.pem or you can specify a directory containing all your pem files.

    cat cert1.pem key1.pem > haproxy1.pem 
    cat cert2.pem key2.pem > haproxy2.pem

    As per the haproxy docs

    Then on the config use something like this:

      log local0
      option tcplog
    frontend ft_test
      mode http
      bind ssl crt /certs/haproxy1.pem crt /certs/haproxy2.pem 
      use_backend bk_cert1 if { ssl_fc_sni } # content switching based on SNI
      use_backend bk_cert2 if { ssl_fc_sni } # content switching based on SNI
    backend bk_cert1
      mode http
      server srv1 <ip-address2>:80
    backend bk_cert2
      mode http
      server srv2 <ip-address3>:80

    Read more about SNI

    Keep in mind that SSL support is in development staging for haproxy and also that it apparently has considerable performance hit.

    There are other solutions talked about in this thread:

    Hope this helps.

  • No need to concat or specify a list of certificates anymore, just specify a folder:

    frontend public
        bind *:443 ssl crt /etc/haproxy/ssl/

    Note: make sure the folder isn't empty and valid PEM files are present, otherwise HAProxy will not run.

Related Questions