I'm trying to configure HAProxy to allow use of SNI for multiple host names. I've followed HAProxy's recommendation on how to configure SNI, however it always pulls the first cert listed in the config no matter what (startrek). I'm testing using OpenSSL which has supported SNI since 2007...
I'm using self signed certs for this. The odd thing is, Chrome pulls the right certs but openssl doesn't...
sample config below
-------------------------------------------------
frontend http-in
bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/star_startrek_fb_lab.pem crt /etc/haproxy/certs/star_starwars_fb_lab.pem no-sslv3 ciphers ECDHE+aRSA+AES256+GCM+SHA384:ECDHE+aRSA+AES128+GCM+SHA256:ECDHE+aRSA+AES256+SHA384:ECDHE+aRSA+AES128+SHA256:ECDHE+aRSA+RC4+SHA:ECDHE+aRSA+AES256+SHA:ECDHE+aRSA+AES128+SHA:AES256+GCM+SHA384:AES128+GCM+SHA256:AES128+SHA256:AES256+SHA256HE+aRSA+AES129+SHA:RC4+SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
use_backend is_startrek if { ssl_fc_sni my.startrek.cruisd64.com }
use_backend is_starwars if { ssl_fc_sni my.starwars.cruisd64.com }
backend is_startrek
mode http
balance roundrobin
server server-1 192.168.1.100:5061 check
backend is_starwars
mode http
balance roundrobin
server server-1 192.168.1.100:5061 check
I'm using self signed certs for this. The odd thing is, Chrome pulls the right certs but openssl doesn't...
sample config below
-------------------------------------------------
frontend http-in
bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/star_startrek_fb_lab.pem crt /etc/haproxy/certs/star_starwars_fb_lab.pem no-sslv3 ciphers ECDHE+aRSA+AES256+GCM+SHA384:ECDHE+aRSA+AES128+GCM+SHA256:ECDHE+aRSA+AES256+SHA384:ECDHE+aRSA+AES128+SHA256:ECDHE+aRSA+RC4+SHA:ECDHE+aRSA+AES256+SHA:ECDHE+aRSA+AES128+SHA:AES256+GCM+SHA384:AES128+GCM+SHA256:AES128+SHA256:AES256+SHA256HE+aRSA+AES129+SHA:RC4+SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
use_backend is_startrek if { ssl_fc_sni my.startrek.cruisd64.com }
use_backend is_starwars if { ssl_fc_sni my.starwars.cruisd64.com }
backend is_startrek
mode http
balance roundrobin
server server-1 192.168.1.100:5061 check
backend is_starwars
mode http
balance roundrobin
server server-1 192.168.1.100:5061 check