3

I want to redirect a subdomain from a domain A to a subdomain from a domain B via HAProxy. I have SSL wildcards for these 2 domains.

My concern is that HAProxy uses the wrong certificate when redirecting (it uses the certificate for the domain where the user is being redirected rather than the certificate of the domain used).

Here are my configuration files:

HAProxy (/etc/haproxy/haproxy.cfg):

...

frontend https
  bind 0.0.0.0:443 ssl crt-list /etc/haproxy/ssl_certificates no-sslv3 no-tls-tickets ciphers ECDHE-ECDSA-CHACHA20-POLY1305:EC.......
  mode http
  acl is_domain_b hdr(host) -i sub2.sub1.b.com
  acl is_domain_a hdr(host) -i sub1.a.com
  default_backend redir
  option http-server-close
  option forwardfor except 127.0.0.1
  http-request redirect prefix https://sub1.a.com if is_domain_b
  use_backend xxxxx if is_domain_a

backend redir
  mode http
  redirect prefix sub1.domain-a.com code 302

backend xxxxx
  mode http
  option forwardfor
  option httpchk HEAD / HTTP/1.1\r\nHost:healthcheck.haproxy
  server xxxxx xx.xx.xx.xx:3000 check

Certificates (/etc/haproxy/ssl_certificates):

/etc/ssl/haproxy/a.com.pem
/etc/ssl/haproxy/b.com.pem

Demonstration:

#> openssl x509 -in /etc/ssl/haproxy/a.com.pem -noout -text | grep 'Subject:\|DNS:'
        Subject: CN=*.a.com
                DNS:*.a.com, DNS:a.com

#> openssl x509 -in /etc/ssl/haproxy/b.com.pem -noout -text | grep 'Subject:\|DNS:'
        Subject: CN=*.b.com
                DNS:*.b.com, DNS:b.com

#> true | openssl s_client -connect sub2.sub1.b.com:443 -servername sub2.sub1.b.com -showcerts | openssl x509 -text -noout | grep 'Subject:\|DNS:'
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = *.a.com
verify return:1
DONE
        Subject: CN=*.a.com
                DNS:*.a.com, DNS:a.com

I want to point out that this problem has only been there since I used SSL wildcards. Previously, I had one SSL certificate per subdomain, and HAProxy used the right one (for the same configuration).

Do you have any idea what might be the issue in my configuration, please?

Aurelien Maigret
  • 402
  • 3
  • 12
  • `sub2.sub1.b.com` does NOT match `*.b.com`; a wildcard covers **only one label**. See dupes&crossdupes https://stackoverflow.com/questions/26744696/ https://stackoverflow.com/questions/32510641/ https://serverfault.com/questions/878432/ https://serverfault.com/questions/871171/ https://serverfault.com/questions/817255/ and more linked from there. – dave_thompson_085 Apr 20 '18 at 10:41
  • As pointed out by dave_thompson_085 a wildcard covers only one label. So sub2.sub1.b.com will not much any of your certs and HAProxy will fall back to the first cert (in alphabetic order). – Mo3m3n Apr 20 '18 at 12:29
  • That's why it worked without SSL wildcards... I didn't know that, thank you for your answers! – Aurelien Maigret Apr 20 '18 at 14:15

0 Answers0