Re: Loadbalancing with ssl on www only
If it is any help you can get a certificate for *. domain.com On Oct 28, 2013 9:37 PM, Felix fe...@ferchland.org wrote: Hello, I am using haproxy to loadbalance my webapplication but I get into a problem with our ssl certificate. haproxy is also serving the ssl certificate to the clients. this works quite well. we only have certificate for www as subdomain, so all traffic hitting haproxy should be redirected to https://www. if the visitor comes from non ssl the domain can be rewritten without a problem, but if the visitor types the domain with ssl but without subdomain, the url can't be rewritten before the (in this case invalid) ssl certificate was served by haproxy. is there a way to redirect an ssl request before serving the certificate? global maxconn 4096 daemon log 128.0.0.1 local0 defaults log global mode http contimeout 5000 clitimeout 5 srvtimeout 5 option forwardfor retries 3 option redispatch option http-server-close frontend http *:80 mode http redirect location https://www.url.com if !{ ssl_fc } frontend https # reqadd X-Forwarded-Proto:\ https # www Redirect mode http acl non-www hdr(host)url.com redirect prefix https://www.url.com if non-www bind *:443 ssl crt /crt/ssl.pem no-sslv3 default_backend web option forwardfor
Re: Loadbalancing with ssl on www only
A wildcard cert is helpful for some things, but domain.com will not validate against a cert issued for *.domain.com On 10/29/13, 10:52 AM, Bhaskar Maddala wrote: If it is any help you can get a certificate for *. domain.com http://domain.com On Oct 28, 2013 9:37 PM, Felix fe...@ferchland.org mailto:fe...@ferchland.org wrote: Hello, I am using haproxy to loadbalance my webapplication but I get into a problem with our ssl certificate. haproxy is also serving the ssl certificate to the clients. this works quite well. we only have certificate for www as subdomain, so all traffic hitting haproxy should be redirected to https://www. if the visitor comes from non ssl the domain can be rewritten without a problem, but if the visitor types the domain with ssl but without subdomain, the url can't be rewritten before the (in this case invalid) ssl certificate was served by haproxy. is there a way to redirect an ssl request before serving the certificate? global maxconn 4096 daemon log 128.0.0.1 local0 defaults log global mode http contimeout 5000 clitimeout 5 srvtimeout 5 option forwardfor retries 3 option redispatch option http-server-close frontend http *:80 mode http redirect location https://www.url.com if !{ ssl_fc } frontend https # reqadd X-Forwarded-Proto:\ https # www Redirect mode http acl non-www hdr(host) url.com http://url.com redirect prefix https://www.url.com if non-www bind *:443 ssl crt /crt/ssl.pem no-sslv3 default_backend web option forwardfor
Re: Loadbalancing with ssl on www only
Ahh, thank you -Bhaskar On Tue, Oct 29, 2013 at 10:56 AM, David Coulson da...@davidcoulson.netwrote: A wildcard cert is helpful for some things, but domain.com will not validate against a cert issued for *.domain.com On 10/29/13, 10:52 AM, Bhaskar Maddala wrote: If it is any help you can get a certificate for *. domain.com On Oct 28, 2013 9:37 PM, Felix fe...@ferchland.org wrote: Hello, I am using haproxy to loadbalance my webapplication but I get into a problem with our ssl certificate. haproxy is also serving the ssl certificate to the clients. this works quite well. we only have certificate for www as subdomain, so all traffic hitting haproxy should be redirected to https://www. if the visitor comes from non ssl the domain can be rewritten without a problem, but if the visitor types the domain with ssl but without subdomain, the url can't be rewritten before the (in this case invalid) ssl certificate was served by haproxy. is there a way to redirect an ssl request before serving the certificate? global maxconn 4096 daemon log 128.0.0.1 local0 defaults log global mode http contimeout 5000 clitimeout 5 srvtimeout 5 option forwardfor retries 3 option redispatch option http-server-close frontend http *:80 mode http redirect location https://www.url.com if !{ ssl_fc } frontend https # reqadd X-Forwarded-Proto:\ https # www Redirect mode http acl non-www hdr(host)url.com redirect prefix https://www.url.com if non-www bind *:443 ssl crt /crt/ssl.pem no-sslv3 default_backend web option forwardfor
Re: Loadbalancing with ssl on www only
No. You need to get a cert with both www.domain.com and domain.com in it so both are valid in a browser. Sent from my iPad On Oct 28, 2013, at 9:33 PM, Felix fe...@ferchland.org wrote: Hello, I am using haproxy to loadbalance my webapplication but I get into a problem with our ssl certificate. haproxy is also serving the ssl certificate to the clients. this works quite well. we only have certificate for www as subdomain, so all traffic hitting haproxy should be redirected to https://www. if the visitor comes from non ssl the domain can be rewritten without a problem, but if the visitor types the domain with ssl but without subdomain, the url can't be rewritten before the (in this case invalid) ssl certificate was served by haproxy. is there a way to redirect an ssl request before serving the certificate? global maxconn 4096 daemon log 128.0.0.1 local0 defaults log global mode http contimeout 5000 clitimeout 5 srvtimeout 5 option forwardfor retries 3 option redispatch option http-server-close frontend http *:80 mode http redirect location https://www.url.com if !{ ssl_fc } frontend https # reqadd X-Forwarded-Proto:\ https # www Redirect mode http acl non-www hdr(host)url.com redirect prefix https://www.url.com if non-www bind *:443 ssl crt /crt/ssl.pem no-sslv3 default_backend web option forwardfor