Haproxy implements multi-domain certificate HTTPS

Haproxy implements multi-domain certificate HTTPS

We will talk about how to use Haproxy to implement multi-domain certificate HTTPS () using Nginx and enable tls sni Support by recompiling Nginx?

Requirements:

Haproxy must be later than 1.5

Step 1: Install openssl

Tar zxf openssl-0.9.8zh.tar.gz
Cd openssl-0.9.8zh
./Config enable-tlsext -- prefix =/usr/local/openssl no-shared
Make & make install_sw
# The above installation does not affect the openssl version in the system. It is mainly used to enable the tls sni function of openssl.

Step 2: Install Haproxy

Tar zxf haproxy-1.5.15.tar.gz
Cd haproxy-1.5.15
Make TARGET = linux26 USE_PCRE = 1 USE_OPENSSL = 1 USE_ZLIB = 1 ARCH = x86_64 PREFIX =/usr/local/haproxy1.5.15 SSL_INC =/usr/local/openssl/include SSL_LIB =/usr/local /openssl/lib ADDLIB =-ldl
Make TARGET = linux26 USE_PCRE = 1 USE_OPENSSL = 1 USE_ZLIB = 1 ARCH = x86_64 PREFIX =/usr/local/haproxy1.5.15 SSL_INC =/usr/local/openssl/include SSL_LIB =/usr/local /openssl/lib ADDLIB =-ldl install
# Remember to specify the openssl address above. haproxy does not have config.

Step 3: generate a certificate

[Root @ gz122haproxy95 ~] # Mkdir ~ /Keys
[Root @ gz122haproxy95 keys] # cd ~ /Keys
[Root @ gz122haproxy95 keys] # openssl genrsa-out passport.abc.com. key 2048
[Root @ gz122haproxy95 keys] # openssl req-new-key passport.abc.com. key-out passport.abc.com. csr

You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: CN # Country
State or Province Name (full name) [Berkshire]: GuangDong # Province
Locality Name (eg, city) [Newbury]: ShenZhen # city
Organization Name (eg, company) [My Company Ltd]: Test. Inc # company Name
Organizational Unit Name (eg, section) []: passport.abc.com # Organization Name
Common Name (eg, your name or your server's hostname) []: passport.abc.com # Domain Name
Email Address []: passport@abc.com
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
[Root @ gz122haproxy95 keys] # openssl x509-req-days 3650-in passport.abc.com. csr-signkey passport.abc.com. key-out passport.abc.com. crt
[Root @ gz122haproxy95 keys] # cat passport.abc.com. crt passport.abc.com. key | tee passport.abc.com. pem

Generate the Certificate file www.test.com admin.abc.com in sequence according to the above method. A pem file is generated at the end of each site.

Configure the Haproxy configuration file:

Frontend http_server
Bind: 80
Bind: 443 ssl crt/etc/haproxy/keys/www.test.com. pem crt/etc/haproxy/keys/admin.test.com. pem crt/etc/haproxy/keys/passport.abc.com. pem
# Follow the above rules. If multiple sites have the same rules, bind: 443 ssl crt $ filepath crt $ file2path crt $ file3path

Mode http

Acl ssl hdr_reg (host)-I ^ (www.test.com | admin.test.com | passport.abc.com) $
Redirect scheme https code 301 if! {Ssl_fc} ssl
# Perform https redirect for the above sites

Acl wwwtest_com hdr_reg (host)-I $ (
Use_backend www_test_com if wwwtest_com {ssl_fc_sni www.test.com}
# Here is the corresponding part of the certificate, as shown in
Acl admintest_com hdr_dom (host)-I admin.test.com
Use_backend admin_test_com if admintest_com {ssl_fc_sni admin.test.com}
Acl passportabc_com hdr_dom (host)-I passport.abc.com
Use_backend pasport_abc_com if passport_abc_com {ssl_fc_sni passport.abc.com}


Backend www_test_com
Server test2 192.168.10.2: 80 check port 80 inter 5000 rise 2 fall 3 weight 1
Backend admin_test_com
Server test4 192.168.10.4: 80 check port 80 inter 5000 rise 2 fall 3 weight 1
Backend passport_abc_com
Server test5 192.168.10.5: 80 check port 80 inter 5000 rise 2 fall 3 weight 1

According to the above configuration, you can achieve multi-certificate HTTPS. Access the above access in turn will find that the relevant certificate is paired with it.

Haproxy + Keepalived build Weblogic high-availability server Load balancer Cluster

Keepalived + HAProxy configure high-availability Load Balancing

Haproxy + Keepalived + Apache configuration notes in CentOS 6.3

Haproxy + KeepAlived WEB Cluster on CentOS 6

Haproxy + Keepalived build high-availability Load Balancing

Configure an HTTP Load balancer using HAProxy

For details about HAproxy, click here
HAproxy: click here

This article permanently updates the link address: