-
Notifications
You must be signed in to change notification settings - Fork 16
How to for Multiple Domain SSL Certificates with HaProxy
In a MT6 environment one can have multiple domains and HAProxy will provide the right SSL certificate for each of your domain names.
You'll need your ca-bundle or intermediate certificate(s) and your private key and of course your crt file from the place you purchased the signed certificate from.
HAProxy supports loading all the TLS certificates in a directory. The default haproxy.conf file has a commented line that enables this feature. Edit /data/haproxy/etc/haproxy.conf and comment out the first bind :::443 line and uncomment the second. Example lines:
bind :::443 v4v6 alpn h2,http/1.1 ssl crt /etc/ssl/private
#bind :::443 v4v6 alpn h2,http/1.1 ssl crt /etc/ssl/private crt /data/ssl.d
By enabling the second line, HAProxy will first load the default certificate (for requests with no SNI match) at /etc/ssl/private and then load all the TLS certificates in the directory /data/ssl.d. Haproxy will use SNI to match incoming requests with the proper certificate.
You'll want to mount your haproxy jail because you're going to need to restart haproxy
# jailmanage haproxy
# cat server.key intermediate.crt signed_crt.crt > mydomain.pemplace mydomain.pem in /etc/ssl/private/
# cat server.key.crt ca-bundle.crt other-signed_crt.crt > myotherdomain.pemplace myotherdomain.pem in /etc/ssl/private
create a file for haproxy to find the certs:
# vim /etc/ssl/private/crt-list.txtand insert the lines as they are below changing the name to your .pem file names.
- /etc/ssl/private/mydomain.pem
- /etc/ssl/private/myotherdomain.pem
save the file
:wq
# vim /usr/local/etc/haproxy.confcomment out '#' the line in the heading
frontend https-in:
bind *:443 ssl crt /etc/ssl/private
and insert:
bind *:443 ssl crt-list /etc/ssl/private/crt-list.txt
Save the file:
:wq# /usr/local/etc/rc.d/haproxy restartYou're done.
Unmount the haproxy Jail
# exit