Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
HAProxy doesn't seem to respect SNI anymore?
« previous
next »
Print
Pages: [
1
]
Author
Topic: HAProxy doesn't seem to respect SNI anymore? (Read 705 times)
rkubes
Newbie
Posts: 15
Karma: 1
HAProxy doesn't seem to respect SNI anymore?
«
on:
February 02, 2024, 08:11:19 pm »
I have two different certs, one for mydoman.com, and one for
www.mydomain.com
(examples of course, but the subdomains are correct)
These are both loaded in HAProxy for my server, and I'm using HAProxy essentially as a gateway so that the SSL management is done within OPNsense.
On 23.x versions, this all worked without issue. HAProxy would provide the correct cert for whatever site was accessed (i.e. with or without the www. subdomain).
I upgraded to 24.1 last night, and now if I access mydomain.com, HAProxy is providing the cert for
www.mydomain.com
, and thus the browser raises a warning. It seems like potentially HAProxy is using the default cert rather than the other one loaded specifically for that subdomain.
Are there any configurations that are known to need to be adjusted for HAProxy after the 24.1 upgrade? Or any that I can double check to ensure they're set correctly?
This issue only happens within my network, since the DNS is routed directly to the firewall. Outside of my network I proxy through Cloudflare, and they have their own cert on the proxy with a wildcard.
I know I can potentially look at also doing a wildcard cert on my end, but I'd prefer to keep the individual certs for now and rely on SNI to pick the right cert.
Edit:
I did a search for HAProxy and didn't find the other posts, but have since found through Google this is indeed broken with 24.1
https://github.com/opnsense/plugins/issues/3779#issuecomment-1917956814
«
Last Edit: February 02, 2024, 08:20:29 pm by rkubes
»
Logged
Tubs
Full Member
Posts: 100
Karma: 3
Re: HAProxy doesn't seem to respect SNI anymore?
«
Reply #1 on:
February 02, 2024, 08:31:46 pm »
I was running in the same issue.
Habe a look here.
https://forum.opnsense.org/index.php?topic=38435.0
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
HAProxy doesn't seem to respect SNI anymore?