Haproxy implementing Multi-Domain certificate HTTPS

Source: Internet
Author: User
Tags openssl version haproxy

As mentioned earlier, using Nginx to implement multi-domain name certificate HTTPS (http://fengwan.blog.51cto.com/508652/1719708), by recompiling the Nginx implementation of TLS SNI support Open, So how do you use Haproxy?


Requirements:

Haproxy must be more than 1.5 versions


First step: Installation of OpenSSL

Tar zxf openssl-0.9.8zh.tar.gzcd openssl-0.9.8zh./config enable-tlsext--prefix=/usr/local/openssl no-sharedmake && make install_sw# above installation does not affect the OpenSSL version in the system, mainly to open the TLS sni feature of OpenSSL

Step Two: Installation of Haproxy

Tar zxf haproxy-1.5.15.tar.gzcd haproxy-1.5.15make target=linux26 use_pcre=1 use_openssl=1 USE_ZLIB=1 ARCH=x86_64 prefix=/usr/local/haproxy1.5.15 ssl_inc=/usr/local/openssl/include Ssl_lib=/usr/local/openssl/lib ADDLIB=-ldlmake Target=linux26 use_pcre=1 use_openssl=1 use_zlib=1 arch=x86_64 prefix=/usr/local/haproxy1.5.15 SSL_INC=/usr/local/ Openssl/include Ssl_lib=/usr/local/openssl/lib ADDLIB=-LDL install# Remember above to specify the address of OpenSSL, Haproxy no config This step

Step three: Generate a certificate

[[Email protected] ~]# mkdir ~/keys[[email protected] keys]# cd ~/keys [[email protected] keys]# openssl genrsa -out passport.abc.com.key 2048[[ email protected] keys]# openssl req -new -key passport.abc.com.key - out passport.abc.com.csr you are about to be asked to enter  Information that will be incorporatedinto your certificate request. what you are about to enter is what is called a  Distinguished name or a dn. there are quite a few fields but you can leave some  blankfor some fields there will be a default value,if you  enter  '. ',  the field will be left blank.-----country name  (2 letter code)  [GB]:CN    #国家State  or Province Name  ( Full name)  [Berkshire]:GuangDong   #省份Locality  Name  (eg, city)  [newbury ]:shenzhen    #城市Organization  Name  (Eg, company)  [my company ltd]: test.inc     #公司名称Organizational  Unit Name  (eg, section)  []: passport.abc.com     #组织名称Common  Name  (eg, your name or your  server ' S hostname)  []:p assport.abc.com    #域名Email  address []:[email  protected]Please enter the following  ' Extra '  attributesto be sent  with your certificate requesta challenge password []:an optional  company name []:[[email protected] keys]# openssl x509 -req - Days 3650 -in passport.abc.com.csr -signkey passport.abc.com.key -out passport.abc.com.crt[[email  protected] keys]# cat passport.abc.com.crt passport.abc.com.key |tee  Passport.abc.com.pem

According to the above method to generate www.test.com admin.abc.com certificate file, each site will eventually have a PEM file generation


Configure the configuration file for Haproxy:

frontend http_server        bind :80         bind :443 ssl crt /etc/haproxy/keys/www.test.com.pem crt  /etc/haproxy/keys/admin.test.com.pem crt /etc/haproxy/keys/passport.abc.com.pem          #按照如上规则如果多个站点就可以使用同样的规则  bind :443 ssl crt $ filepath crt  $file 2path crt  $file 3path                 mode http                 acl ssl  hdr_reg (host)  -i ^ ( www.test.com|admin.test.com|passport.abc.com) $        redirect  scheme https code 301 if ! { ssl_fc }  ssl         #对以上站点进行https跳转                acl  Wwwtest_com hdr_reg (host)  -i $ (        use_backend  www_test_com if wwwtest_com { ssl_fc_sni www.test.com }          #这里就是证书的对应部分, such as         acl admintest _com hdr_dom (host)  -i admin.test.com        use_backend  admin_test_com if admintest_com { ssl_fc_sni admin.test.com }          acl passportabc_com hdr_dom (host)  -i  passport.abc.com        use_backend pasport_abc_com if  passport_abc_com { ssl_fc_sni passport.abc.com }                         backend www_test_com             server test2 192.168.10.2:80 check  port 80 inter 5000 rise 2 fall 3 weight 1         backend admin_test_com             server test4 192.168.10.4:80 check port 80 inter  5000 rise 2 fall 3 weight 1         Backend passport_abc_com            server  test5 192.168.10.5:80 check port 80 inter 5000 rise 2 fall  3 weight 1

According to the above configuration can achieve multi-Certificate of HTTPS, then access the above will find that the relevant certificate paired with it.


This article from "Maple Night" blog, declined reprint!

Haproxy implementing Multi-Domain certificate HTTPS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.