January 11, 2011
Well, it was worth a shot.
I spent some time at work over lunch trying to get HAProxy set up in such a way that we could have a wildcard SSL certificate on several Amazon EC2 instances, answering to different domains, and let HAProxy route the traffic accordingly.
Unfortunately, SSL certificates still appear to require separate IP addresses per host that you’re securing. And since we can’t assign multiple Elastic IP addresses to our HAProxy instance at Amazon, I’m at a bit of a loss for how to run a software proxy server to manage multiple secured domains. Larry and I each read about some work with stunnel, so we’re going to look into that some more in the coming days, to see if interfacing that and HAProxy can solve our problem.
After lurking in IRC for a while, a user in #haproxy informed me that routing SSL traffic to a backend configuration required “mode tcp”, but setting TCP mode meant we wouldn’t have access to certain ACL information, like the domain name on the incoming request, in order to know how to route traffic.