Hi haproxy Forum members,
I am trying to implement SSL configuration using openssl self-signed certificates. SSL works properly with Single Site configuration but it is not working with multiple sites with SSL. While Multiple sites with http works fine.
Please help.
1) For single site, I used as below, (it worked)
bind 0.0.0.0:443 ssl crt /u01/sslkeys/web/sales/ssl/sales.pem
Single Site configuration(with https):works fine
global
daemon
maxconn 256
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
#bind *:80
bind 0.0.0.0:443 ssl crt /u01/sslkeys/web/sales/ssl/sales.pem
# Define hosts
acl acl_sales hdr(host) -i sales.webdos.org
acl acl_accounts hdr(host) -i accounts.webdos.org
acl acl_marketing hdr(host) -i marketing.webdos.org
## figure out which one to use
use_backend pool_sales if acl_sales
use_backend pool_accounts if acl_accounts
use_backend pool_marketing if acl_marketing
backend pool_sales
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server ws01 192.168.10.231:8080 cookie A check
server ws02 192.168.10.232:8080 cookie A check
backend pool_accounts
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server ws01 192.168.10.231:8080 cookie A check
server ws02 192.168.10.232:8080 cookie A check
backend pool_marketing
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server ws01 192.168.10.231:8080 cookie A check
server ws02 192.168.10.232:8080 cookie A check
listen admin
bind *:8888
stats enable
2) For Multiple sites, I used as below, (it did not work)
bind 0.0.0.0:443 ssl crt /etc/ssl/private/sales.pem crt /etc/ssl/private/accounts.pem
or using as below
bind *:443 ssl crt /etc/ssl/private/
or using
use_backend pool_sales if { ssl_fc_sni sales.webdos.org }
use_backend pool_accounts if { ssl_fc_sni accounts.webdos.org }
Errors:
[ALERT] 267/160853 (3980) : parsing [/etc/haproxy/haproxy.cfg:15] : 'bind *:443' : this version of openssl cannot load multiple SSL certificates.
[ALERT] 267/160853 (3980) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 267/160853 (3980) : Fatal errors found in configuration.
Errors found in configuration file, check it with 'haproxy check'.
complete configuration as below,
global
daemon
maxconn 256
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
mode http
#bind *:80
bind *:443 ssl crt /etc/ssl/private/
#bind 0.0.0.0:443 ssl crt /etc/ssl/private/sales.pem
#bind 0.0.0.0:443 ssl crt /etc/ssl/private/sales.pem crt /etc/ssl/private/accounts.pem
use_backend pool_sales if { ssl_fc_sni sales.webdos.org }
use_backend pool_accounts if { ssl_fc_sni accounts.webdos.org }
# Define hosts
# acl acl_sales hdr(host) -i sales.webdos.org
# acl acl_accounts hdr(host) -i accounts.webdos.org
# acl acl_marketing hdr(host) -i marketing.webdos.org
## figure out which one to use
use_backend pool_sales if acl_sales
use_backend pool_accounts if acl_accounts
use_backend pool_marketing if acl_marketing
backend pool_sales
mode http
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server ws01 192.168.10.231:8080 cookie A check
server ws02 192.168.10.232:8080 cookie A check
backend pool_accounts
mode http
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server ws01 192.168.10.231:8080 cookie A check
server ws02 192.168.10.232:8080 cookie A check
backend pool_marketing
mode http
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server ws01 192.168.10.231:8080 cookie A check
server ws02 192.168.10.232:8080 cookie A check
listen admin
bind *:8888
stats enable
HA Proxy Version:
haproxy -version
HA-Proxy version 1.5.14 2015/07/02
Copyright 2000-2015 Willy Tarreau willy@haproxy.org<mailto:willy@haproxy.org>
openssl version:
OpenSSL 1.0.1g 7 Apr 2014
Regards,
Naveen Paulraj
Fusion Middleware Administrator,Jolera
Contact: 1(416) 859-0890
002-777 Richmond Street West, Toronto, Ontario, M6J 0C2 | Fax: 416.214.9861 | Visit us at: www.jolera.comhttp://cube/Departments/HumanResources/Pages/www.jolera.com
I am trying to implement SSL configuration using openssl self-signed certificates. SSL works properly with Single Site configuration but it is not working with multiple sites with SSL. While Multiple sites with http works fine.
Please help.
1) For single site, I used as below, (it worked)
bind 0.0.0.0:443 ssl crt /u01/sslkeys/web/sales/ssl/sales.pem
Single Site configuration(with https):works fine
global
daemon
maxconn 256
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
#bind *:80
bind 0.0.0.0:443 ssl crt /u01/sslkeys/web/sales/ssl/sales.pem
# Define hosts
acl acl_sales hdr(host) -i sales.webdos.org
acl acl_accounts hdr(host) -i accounts.webdos.org
acl acl_marketing hdr(host) -i marketing.webdos.org
## figure out which one to use
use_backend pool_sales if acl_sales
use_backend pool_accounts if acl_accounts
use_backend pool_marketing if acl_marketing
backend pool_sales
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server ws01 192.168.10.231:8080 cookie A check
server ws02 192.168.10.232:8080 cookie A check
backend pool_accounts
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server ws01 192.168.10.231:8080 cookie A check
server ws02 192.168.10.232:8080 cookie A check
backend pool_marketing
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server ws01 192.168.10.231:8080 cookie A check
server ws02 192.168.10.232:8080 cookie A check
listen admin
bind *:8888
stats enable
2) For Multiple sites, I used as below, (it did not work)
bind 0.0.0.0:443 ssl crt /etc/ssl/private/sales.pem crt /etc/ssl/private/accounts.pem
or using as below
bind *:443 ssl crt /etc/ssl/private/
or using
use_backend pool_sales if { ssl_fc_sni sales.webdos.org }
use_backend pool_accounts if { ssl_fc_sni accounts.webdos.org }
Errors:
[ALERT] 267/160853 (3980) : parsing [/etc/haproxy/haproxy.cfg:15] : 'bind *:443' : this version of openssl cannot load multiple SSL certificates.
[ALERT] 267/160853 (3980) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 267/160853 (3980) : Fatal errors found in configuration.
Errors found in configuration file, check it with 'haproxy check'.
complete configuration as below,
global
daemon
maxconn 256
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
mode http
#bind *:80
bind *:443 ssl crt /etc/ssl/private/
#bind 0.0.0.0:443 ssl crt /etc/ssl/private/sales.pem
#bind 0.0.0.0:443 ssl crt /etc/ssl/private/sales.pem crt /etc/ssl/private/accounts.pem
use_backend pool_sales if { ssl_fc_sni sales.webdos.org }
use_backend pool_accounts if { ssl_fc_sni accounts.webdos.org }
# Define hosts
# acl acl_sales hdr(host) -i sales.webdos.org
# acl acl_accounts hdr(host) -i accounts.webdos.org
# acl acl_marketing hdr(host) -i marketing.webdos.org
## figure out which one to use
use_backend pool_sales if acl_sales
use_backend pool_accounts if acl_accounts
use_backend pool_marketing if acl_marketing
backend pool_sales
mode http
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server ws01 192.168.10.231:8080 cookie A check
server ws02 192.168.10.232:8080 cookie A check
backend pool_accounts
mode http
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server ws01 192.168.10.231:8080 cookie A check
server ws02 192.168.10.232:8080 cookie A check
backend pool_marketing
mode http
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server ws01 192.168.10.231:8080 cookie A check
server ws02 192.168.10.232:8080 cookie A check
listen admin
bind *:8888
stats enable
HA Proxy Version:
haproxy -version
HA-Proxy version 1.5.14 2015/07/02
Copyright 2000-2015 Willy Tarreau willy@haproxy.org<mailto:willy@haproxy.org>
openssl version:
OpenSSL 1.0.1g 7 Apr 2014
Regards,
Naveen Paulraj
Fusion Middleware Administrator,Jolera
Contact: 1(416) 859-0890
002-777 Richmond Street West, Toronto, Ontario, M6J 0C2 | Fax: 416.214.9861 | Visit us at: www.jolera.comhttp://cube/Departments/HumanResources/Pages/www.jolera.com