HAProxy Won't Manage Multiple Wildcard SSL-Enabled Sites

The blog is currently being ported from WordPress to over 12 years of static pages of content. If there's an article missing that you're hoping to see, please contact me and let me know and I'll prioritize getting it online.

January 11, 2011

Well, it was worth a shot.

I spent some time at work over lunch trying to get HAProxy set up in such a way that we could have a wildcard SSL certificate on several Amazon EC2 instances, answering to different domains, and let HAProxy route the traffic accordingly.

Unfortunately, SSL certificates still appear to require separate IP addresses per host that you’re securing. And since we can’t assign multiple Elastic IP addresses to our HAProxy instance at Amazon, I’m at a bit of a loss for how to run a software proxy server to manage multiple secured domains. Larry and I each read about some work with stunnel, so we’re going to look into that some more in the coming days, to see if interfacing that and HAProxy can solve our problem.

After lurking in IRC for a while, a user in #haproxy informed me that routing SSL traffic to a backend configuration required “mode tcp”, but setting TCP mode meant we wouldn’t have access to certain ACL information, like the domain name on the incoming request, in order to know how to route traffic.