Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy multiple sites on one fronted www and non-www redirection

    Scheduled Pinned Locked Moved Cache/Proxy
    1 Posts 1 Posters 150 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • beria-plB
      beria-pl
      last edited by

      I have a pfsense with public IP (newest stable release with haproxy and acme with newest available version), on that IP I've got 2 frontends:

      • one listening on port :80 and redirect all incoming connections to port 443 where:
      • the second frontend listen on :443

      Worth to mention I'm using also Acme Certificates service to generate and renew certificates for a bunch of sites that reside on both frontends. I have no issue with this setup - until I've got to serve this stack for one site that requires both www and non-www URL.

      So on the frontend setup, I've got the "main" webpage let's name it app1.contoso.com and also corresponding fronts with acl resides on HAProxy, there are "child" frontends with URL: app2.contoso.com and URL: contoso.com.

      All frontends (primary and shared) got corresponding certificates created with acme - and works great.

      However, there is a demand to get contoso.com with second URL: www.contoso.com (mostly to preserve historical links on many places in the Internet). I've re-run the creation of Let's Encrypt certificate for contoso.com with DNS alias - www.contoso.com, and that part works also fine (at least I'm able to see the certificate for both URLs in the drop-down list).

      I've added acl for contoso.com with the second "Host matches" rule for www.contoso.com - and applied the second certificate in the configuration (with a check on checkboxes for ACL creation for this different certificate based on SNI).

      Now still app1.contoso.com, app2.contoso.com and contoso.com works perfectly fine.

      But www.contoso.com doesn't work at all.

      1. It is served with a certificate for primary frontend - app1.contoso.com
      2. Even if I accept the risk and web browser and click "Continue to www.contoso.com (unsafe)" it gives me a 503 error. With the error page that I've created in HAProxy config in pfsense.

      Backend servers are nginx-based running on 80 port (no encryption between pfsense and backend servers). At first, I've added www.contoso.com in the server_name definition of that page in nginx config - it doesn't help at all.

      On DNS configuration I've tried with cname "www" pointing on contoso.com, and also tried with A record pointing to the public IP of HAPoxy frontend. It makes no difference.

      I'm pretty sure that is only some misconfiguration on HAProxy - but I've no idea what else I can check.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.