Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
HAProxy and SNI on backend IIS server
« previous
next »
Print
Pages: [
1
]
Author
Topic: HAProxy and SNI on backend IIS server (Read 5244 times)
Taomyn
Sr. Member
Posts: 444
Karma: 20
HAProxy and SNI on backend IIS server
«
on:
March 17, 2017, 10:55:00 am »
Hi,
I'm slowly transitioning to Let's Encrypt (LE) SSL certificates and I've hit a snag. I have a single frontend for SSL web traffic, and before I had a single wildcard certificate which worked for all the different sites on the backend IIS server. Now with LE I'm having to add the individual site certificates (I've started with just one site) and also needed to enable SNI on the IIS server. The frontend in HAProxy has the two certificates assigned, the wildcard and the new LE one. Internally this is working as expected, but externally HAProxy is not able to connect to IIS correctly.
When I connect externally I can see in my browser that HAProxy is returning the correct certificate depending on which URL I use (so that part works), but the connection to the backend IIS server never makes it - Chrome responds with "503 Service Unavailable". There is deliberately no "default" site on IIS so I am thinking that for some reason SNI is not working. Like I said, connecting from Chrome internally to the IIS server is working and the correct certificate returned, so SNI is working on IIS.
Any advice on where to look in HAProxy to find the cause?
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: HAProxy and SNI on backend IIS server
«
Reply #1 on:
March 17, 2017, 11:22:26 am »
Why do you need TLS between HA proxy and IIS? Isn't it easier and faster to use http?
Bart...
Logged
Taomyn
Sr. Member
Posts: 444
Karma: 20
Re: HAProxy and SNI on backend IIS server
«
Reply #2 on:
March 17, 2017, 11:36:30 am »
Yes, but that assumes the internal service allows for HTTP, and this one redirects all HTTP to HTTPS so HAProxy has no choice but to connect via SSL.
I'll see if I can change this particular site, but there's another where HTTPS is the only option.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
HAProxy and SNI on backend IIS server