• Выполняем SSL-терминацию с помощью HAProxy для Ubuntu 14.04
• HAProxy config tutorials HTTP rewrites
• Configure multiple SSL certificates in Haproxy
• Видео урок: Доступ к приложениям в Bare-Metal Kubernetes

gate# apt install haproxy

gate# cat wild.crt wild.key > /etc/ssl/private/wild.crtkey
gate# ###cat gowebd.crt gowebd.key > /etc/ssl/private/gowebd.crtkey
gate# ###cat keycloak.crt keycloak.key > /etc/ssl/private/keycloak.crtkey

gate# cat /etc/haproxy/haproxy.cfg

...
frontend ft-gate
    mode http

    bind *:80
    redirect scheme https code 301 if !{ ssl_fc }

    bind *:443 ssl crt /etc/ssl/private/wild.crtkey
#    bind *:443 ssl crt /etc/ssl/private/gowebd.crtkey crt /etc/ssl/private/keycloak.crtkey

    default_backend      bk-kube-ingress
#    use_backend bk-kube-ingress if { ssl_fc_sni keycloak.corp13.un }
#    use_backend bk-node-ingress if { ssl_fc_sni gowebd.corp13.un }

    option               tcplog
    
backend bk-kube-ingress

#    http-request set-header X-Forwarded-Proto https if { ssl_fc }
#    http-request set-header X-Forwarded-Host %[req.hdr(Host)]
#    http-request set-header X-Forwarded-Port %[dst_port]

##    http-request add-header X-Real-Ip %[src] # Custom header with src IP
##    option forwardfor # X-forwarded-for
##    http-request set-uri https://%[req.hdr(Host)]%[path]?%[query] if { ssl_fc }

    mode        http
    balance     roundrobin

    server  kube1 kube1:80 check
    server  kube2 kube2:80 check
    server  kube3 kube3:80 check

#backend bk-node-ingress
#    mode        http
#    balance     roundrobin
#    server  node2 node2:80 check
#    server  node3 node3:80 check

# haproxy -f /etc/haproxy/haproxy.cfg -c
Configuration file is valid

# service haproxy restart

# tail -f /var/log/haproxy.log
# journalctl -f | grep proxy

haproxy# curl https://localhost/ -H "Host: gowebd.corpX.un" -k