HAProxy and SNI on backend IIS server

[Taomyn]

Hi,

I'm slowly transitioning to Let's Encrypt (LE) SSL certificates and I've hit a snag. I have a single frontend for SSL web traffic, and before I had a single wildcard certificate which worked for all the different sites on the backend IIS server. Now with LE I'm having to add the individual site certificates (I've started with just one site) and also needed to enable SNI on the IIS server. The frontend in HAProxy has the two certificates assigned, the wildcard and the new LE one. Internally this is working as expected, but externally HAProxy is not able to connect to IIS correctly.

When I connect externally I can see in my browser that HAProxy is returning the correct certificate depending on which URL I use (so that part works), but the connection to the backend IIS server never makes it - Chrome responds with "503 Service Unavailable". There is deliberately no "default" site on IIS so I am thinking that for some reason SNI is not working. Like I said, connecting from Chrome internally to the IIS server is working and the correct certificate returned, so SNI is working on IIS.

Any advice on where to look in HAProxy to find the cause?

[bartjsmit]

Why do you need TLS between HA proxy and IIS? Isn't it easier and faster to use http?

Bart...

[Taomyn]

Yes, but that assumes the internal service allows for HTTP, and this one redirects all HTTP to HTTPS so HAProxy has no choice but to connect via SSL.


I'll see if I can change this particular site, but there's another where HTTPS is the only option.