HAProxy: Servers with existing SSL certificates
-
I'm trying to configure HAProxy for the first time, but I can't figure out how to configure it for my servers that already have their own SAN certificate.
Each of my servers are setup with unique SSL certs, such as server1.domain.com, server2.domain.com, etc., and the renewal is automated so there's no extra work at this point. How do I configure HAProxy to not apply its own encryption and acknowledge the certs that the servers already have? Everything that I've tried so far results in SSL errors or not being able to reach the server.
-
@CoffeeOrTea said in HAProxy: Servers with existing SSL certificates:
server1.domain.com
I never used HA before myself, so I'm reasoning with the "what is logic ?" here.
Before, a client would contact https://"server1.domain.com" and end up talking to your web server.
With HA, the client's TLS end point would be HA 'picking up the phone', so HA needs to have the same certificate just by your web server before. With your "server1.domain.com" HA can say to the client : I am "server1.domain.com" by sending that cert, and the client would say, after validating the cert : "Great, that's the one I want to talk to". -
@Gertjan said in HAProxy: Servers with existing SSL certificates:
what is logic
Security. If someone were to take down a server with a DoS vulnerability, for example, they could spoof a service in that server's place and the wildcard cert would accommodate that. The SAN cert guarantees that I'm talking to who I want to be talking to. Another scenario would be if a server was compromised and the wildcard key was extracted, that would allow all the traffic across the network to be decrypted. However, I suppose if you use HA as the only TLS end point and don't re-use that wildcard certs on the servers themselves, that scenario doesn't really exist (though I imagine that some people probably do that).
Then, the traffic from HAProxy to the server is unencrypted. I want end-to-end encryption.
