Docker Community Forums

Share and learn in the Docker community.

Dockercloud/haproxy multiple SSL certificates

I want to setup a dockercloud/haproxy loadbalancer serving 3 different website, each having their own SSL certificate. I can see in the documentation that if I place these certificates in the containers /certs/ folder, then it should work.

But how can haproxy know which certificate to use for which web site?
Is there a naming convention for the certificates?
Could someone add a dockercompose example with two different web sites and dockercloud/haproxy all setup with SSL certificates?

https://github.com/tutumcloud/haproxy#ssl-termination

It is not precisely what I’m asking. I have a solution with three loadbalancers. One per certficate. I would like to just have One loadbalancer with all three certificates included.

So my question is related to the dockercloud/haproxy environment option CERT_FOLDER. It says:
“the path of certificates. This allows you to mount your certificate files directly from a volume instead of from envvars. If set, DEFAULT_SSL_CERT and SSL_CERT from linked services are ignored. Possible value:/certs/”

How does this work? How can the loadbalancer know which certificate is required for a request?

you set the environment variables on your app servers and haproxy reads those and configures itself. see https://github.com/tutumcloud/haproxy#settings-in-linked-application-services

I know you are trying top help, but I don’t see how it is done. If you know how to do, what I’m asking, could you please be more specific? Exactly what should be set on the app-service? The only thing I can set, which is not ignored, is the VIRTUAL_HOST. How can the haproxy know which certificate in the /certs/ folder that ties to? How should the certificates on the haproxy be named?

When you use the CERT_FOLDER method HAProxy will load all the certificates in the directory. When a request comes in it will attempt to read the hostname via the SNI field, it will match this hostname with the CN (Common Name) or SAN (Subject Alternative Name) fields on the loaded certificates.

You can read more about this here: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt

They don’t need to named in any particular way, however keep in mind that should the SNI field not be present HAProxy will respond with the first loaded certificate.


I actually find the easiest way of using dockercloud/haproxy is to attach the certificates directly to the services via the SSL_CERT environment variable.

Hope this helps!

3 Likes

I love you longtime! This was exactly it. Works beautifully! One Loadbalancer to rule them all.