HAProxy and SNI-based SSL offloading with intermediate CA

In a world of diminishing IPv4 space and slow IPv6 adoption, SNI-based SSL is getting more and more important. Using the TLS extension SNI, only hardware limits the number of virtual SSL-hosts we can put on a single IP address. Most modern web browsers and web servers support SNI nowadays. Since September 2012, HAProxy supports native SSL as well which means the job of SSL-offloading can now be implemented with a simple HAProxy configuration:

frontend f_web_ssl
  bind 0.0.0.0:443 ssl crt /etc/haproxy/default.pem crt /etc/haproxy/certs.d ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM

This line will instruct HAProxy to look for server (since this is only one-way SSL) certificate files in /etc/haproxy/certs.d and match them to the SNI-name passed by the client. If no match is found or no SNI handshake was taking place, the default.pem certificate is presented to the client. The ciphers are included to pass the BEAST attack test.
Continue reading