• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HAProxy: Servers with existing SSL certificates

Scheduled Pinned Locked Moved Cache/Proxy
3 Posts 2 Posters 455 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    CoffeeOrTea
    last edited by Feb 27, 2024, 1:46 AM

    I'm trying to configure HAProxy for the first time, but I can't figure out how to configure it for my servers that already have their own SAN certificate.

    Each of my servers are setup with unique SSL certs, such as server1.domain.com, server2.domain.com, etc., and the renewal is automated so there's no extra work at this point. How do I configure HAProxy to not apply its own encryption and acknowledge the certs that the servers already have? Everything that I've tried so far results in SSL errors or not being able to reach the server.

    G 1 Reply Last reply Feb 27, 2024, 5:03 PM Reply Quote 0
    • G
      Gertjan @CoffeeOrTea
      last edited by Feb 27, 2024, 5:03 PM

      @CoffeeOrTea said in HAProxy: Servers with existing SSL certificates:

      server1.domain.com

      I never used HA before myself, so I'm reasoning with the "what is logic ?" here.

      Before, a client would contact https://"server1.domain.com" and end up talking to your web server.
      With HA, the client's TLS end point would be HA 'picking up the phone', so HA needs to have the same certificate just by your web server before. With your "server1.domain.com" HA can say to the client : I am "server1.domain.com" by sending that cert, and the client would say, after validating the cert : "Great, that's the one I want to talk to".

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      C 1 Reply Last reply Feb 27, 2024, 5:29 PM Reply Quote 0
      • C
        CoffeeOrTea @Gertjan
        last edited by CoffeeOrTea Feb 27, 2024, 6:29 PM Feb 27, 2024, 5:29 PM

        @Gertjan said in HAProxy: Servers with existing SSL certificates:

        what is logic

        Security. If someone were to take down a server with a DoS vulnerability, for example, they could spoof a service in that server's place and the wildcard cert would accommodate that. The SAN cert guarantees that I'm talking to who I want to be talking to. Another scenario would be if a server was compromised and the wildcard key was extracted, that would allow all the traffic across the network to be decrypted. However, I suppose if you use HA as the only TLS end point and don't re-use that wildcard certs on the servers themselves, that scenario doesn't really exist (though I imagine that some people probably do that).

        Then, the traffic from HAProxy to the server is unencrypted. I want end-to-end encryption.

        1 Reply Last reply Reply Quote 0
        2 out of 3
        • First post
          2/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received