Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy: Servers with existing SSL certificates

    Scheduled Pinned Locked Moved Cache/Proxy
    3 Posts 2 Posters 463 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CoffeeOrTea
      last edited by

      I'm trying to configure HAProxy for the first time, but I can't figure out how to configure it for my servers that already have their own SAN certificate.

      Each of my servers are setup with unique SSL certs, such as server1.domain.com, server2.domain.com, etc., and the renewal is automated so there's no extra work at this point. How do I configure HAProxy to not apply its own encryption and acknowledge the certs that the servers already have? Everything that I've tried so far results in SSL errors or not being able to reach the server.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @CoffeeOrTea
        last edited by

        @CoffeeOrTea said in HAProxy: Servers with existing SSL certificates:

        server1.domain.com

        I never used HA before myself, so I'm reasoning with the "what is logic ?" here.

        Before, a client would contact https://"server1.domain.com" and end up talking to your web server.
        With HA, the client's TLS end point would be HA 'picking up the phone', so HA needs to have the same certificate just by your web server before. With your "server1.domain.com" HA can say to the client : I am "server1.domain.com" by sending that cert, and the client would say, after validating the cert : "Great, that's the one I want to talk to".

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        C 1 Reply Last reply Reply Quote 0
        • C
          CoffeeOrTea @Gertjan
          last edited by CoffeeOrTea

          @Gertjan said in HAProxy: Servers with existing SSL certificates:

          what is logic

          Security. If someone were to take down a server with a DoS vulnerability, for example, they could spoof a service in that server's place and the wildcard cert would accommodate that. The SAN cert guarantees that I'm talking to who I want to be talking to. Another scenario would be if a server was compromised and the wildcard key was extracted, that would allow all the traffic across the network to be decrypted. However, I suppose if you use HA as the only TLS end point and don't re-use that wildcard certs on the servers themselves, that scenario doesn't really exist (though I imagine that some people probably do that).

          Then, the traffic from HAProxy to the server is unencrypted. I want end-to-end encryption.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.