Haproxy implementing Multi-Domain certificate HTTPS

Last Update:2015-12-05 Source: Internet

Author: User

Tags openssl version haproxy

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

As mentioned earlier, using Nginx to implement multi-domain name certificate HTTPS (http://fengwan.blog.51cto.com/508652/1719708), by recompiling the Nginx implementation of TLS SNI support Open, So how do you use Haproxy?

Requirements:

Haproxy must be more than 1.5 versions

First step: Installation of OpenSSL

Tar zxf openssl-0.9.8zh.tar.gzcd openssl-0.9.8zh./config enable-tlsext--prefix=/usr/local/openssl no-sharedmake && make install_sw# above installation does not affect the OpenSSL version in the system, mainly to open the TLS sni feature of OpenSSL

Step Two: Installation of Haproxy

Tar zxf haproxy-1.5.15.tar.gzcd haproxy-1.5.15make target=linux26 use_pcre=1 use_openssl=1 USE_ZLIB=1 ARCH=x86_64 prefix=/usr/local/haproxy1.5.15 ssl_inc=/usr/local/openssl/include Ssl_lib=/usr/local/openssl/lib ADDLIB=-ldlmake Target=linux26 use_pcre=1 use_openssl=1 use_zlib=1 arch=x86_64 prefix=/usr/local/haproxy1.5.15 SSL_INC=/usr/local/ Openssl/include Ssl_lib=/usr/local/openssl/lib ADDLIB=-LDL install# Remember above to specify the address of OpenSSL, Haproxy no config This step

Step three: Generate a certificate

[[Email protected] ~]# mkdir ~/keys[[email protected] keys]# cd ~/keys [[email protected] keys]# openssl genrsa -out passport.abc.com.key 2048[[ email protected] keys]# openssl req -new -key passport.abc.com.key - out passport.abc.com.csr you are about to be asked to enter  Information that will be incorporatedinto your certificate request. what you are about to enter is what is called a  Distinguished name or a dn. there are quite a few fields but you can leave some  blankfor some fields there will be a default value,if you  enter  '. ',  the field will be left blank.-----country name  (2 letter code)  [GB]:CN    #国家State  or Province Name  ( Full name)  [Berkshire]:GuangDong   #省份Locality  Name  (eg, city)  [newbury ]:shenzhen    #城市Organization  Name  (Eg, company)  [my company ltd]: test.inc     #公司名称Organizational  Unit Name  (eg, section)  []: passport.abc.com     #组织名称Common  Name  (eg, your name or your  server ' S hostname)  []:p assport.abc.com    #域名Email  address []:[email  protected]Please enter the following  ' Extra '  attributesto be sent  with your certificate requesta challenge password []:an optional  company name []:[[email protected] keys]# openssl x509 -req - Days 3650 -in passport.abc.com.csr -signkey passport.abc.com.key -out passport.abc.com.crt[[email  protected] keys]# cat passport.abc.com.crt passport.abc.com.key |tee  Passport.abc.com.pem

According to the above method to generate www.test.com admin.abc.com certificate file, each site will eventually have a PEM file generation

Configure the configuration file for Haproxy:

frontend http_server        bind :80         bind :443 ssl crt /etc/haproxy/keys/www.test.com.pem crt  /etc/haproxy/keys/admin.test.com.pem crt /etc/haproxy/keys/passport.abc.com.pem          #按照如上规则如果多个站点就可以使用同样的规则  bind :443 ssl crt $ filepath crt  $file 2path crt  $file 3path                 mode http                 acl ssl  hdr_reg (host)  -i ^ ( www.test.com|admin.test.com|passport.abc.com) $        redirect  scheme https code 301 if ! { ssl_fc }  ssl         #对以上站点进行https跳转                acl  Wwwtest_com hdr_reg (host)  -i $ (        use_backend  www_test_com if wwwtest_com { ssl_fc_sni www.test.com }          #这里就是证书的对应部分, such as         acl admintest _com hdr_dom (host)  -i admin.test.com        use_backend  admin_test_com if admintest_com { ssl_fc_sni admin.test.com }          acl passportabc_com hdr_dom (host)  -i  passport.abc.com        use_backend pasport_abc_com if  passport_abc_com { ssl_fc_sni passport.abc.com }                         backend www_test_com             server test2 192.168.10.2:80 check  port 80 inter 5000 rise 2 fall 3 weight 1         backend admin_test_com             server test4 192.168.10.4:80 check port 80 inter  5000 rise 2 fall 3 weight 1         Backend passport_abc_com            server  test5 192.168.10.5:80 check port 80 inter 5000 rise 2 fall  3 weight 1

According to the above configuration can achieve multi-Certificate of HTTPS, then access the above will find that the relevant certificate paired with it.

This article from "Maple Night" blog, declined reprint!

Haproxy implementing Multi-Domain certificate HTTPS

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More