具有多个证书的HAProxy,其中一个是通配符,另一个是该通配符的子证书

时间:2015-03-18 21:57:46

标签: ssl proxy haproxy

我的HAProxy工作得很好,我在内部代理上打开了端口80和443,TCP超过443。 HTTPS端到端。 我服务证书: * .mycompany.com.au www.secure.mycompany.com.au

SNI似乎不起作用,因为当我去secure.mycompany.com.au时,我不断获得www.secure.mycompany.com.au证书(以及奇怪的大多数浏览器不要抛出错误)。但是当我去mail.mycompany.com.au时,我正确地获得了* .mycompany.com.au证书。

如果我从SSL目录中删除www.secure.mycompany.com.au证书,并浏览到secure.mycompany.com.au,我会获得正确的证书,但当然我去www.secure时。 mycompany.com.au,我在浏览器上收到错误,因为它试图给我* .mycompany.com.au证书。

任何人都可以看到我做错了。

haproxy -version
HA-Proxy version 1.5.8 2014/10/31
Copyright 2000-2014 Willy Tarreau <w@1wt.eu>





    global
  daemon
  user haproxy
  group haproxy
  log /dev/log local0 info
  log /dev/log local0 notice
  ulimit-n 20000
  pidfile /var/run/haproxy.pid
  tune.ssl.default-dh-param 2048

##################################################################################

## Port80 is open only to forward all requests to port 443.
frontend unsecure 123.123.123.155:80 #Prod
    bind 192.168.14.155:80 #Prod
    mode http
    redirect scheme https code 301 if !{ ssl_fc }

##################################################################################

##Listen on 443, and forward to internal proxy on 88.  Needed for SSL end to end.
listen ssl-proxy
   ##Only accept mycompany host headers
   http-request deny if !{ hdr_end(Host) -i mycompany.com.au } !{ hdr_end(Host) -i www.secure.mycompany.com.au }  

   # Get Certificates from SSL directory. 
   bind 123.123.123.155:443 ssl crt /etc/haproxy/ssl npn http/1.1 ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM no-sslv3    
   bind 192.168.14.155:443 ssl crt /etc/haproxy/ssl npn http/1.1 ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM no-sslv3      

   mode tcp
   server http 127.0.0.1:88 send-proxy

##################################################################################

frontend internal_proxy
    mode http
    bind 127.0.0.1:88 accept-proxy name accept-sslproxy
    bind-process 1

    acl is_secure_mycompany_com_au hdr_end(host) -i www.secure.mycompany.com.au
    acl is_secure_mycompany_com_au hdr_end(host) -i secure.mycompany.com.au
    use_backend https_secure_mycompany_com_au if is_secure_mycompany_com_au

    acl is_mail_mycompany_com_au hdr_end(host) -i mail.mycompany.com.au
    use_backend https_mail_mycompany_com_au if is_mail_mycompany_com_au

    default_backend nomatch

##################################################################################
backend https_secure_mycompany_com_au
    mode http
    option tcp-check
    server web-01 192.168.14.50:443 check ssl verify none

    backend https_mail_mycompany_com_au
    mode http
    option tcp-check
    server web-02 192.168.14.51:443 check ssl verify none

backend nomatch
    mode http
    errorfile 503 /etc/haproxy/errors/503.http

0 个答案:

没有答案
相关问题
最新问题