Hello Ben,
On Wed, 3 Nov 2021 at 03:54, Ben Hart <ben.h...@jamf.com> wrote: > > I wonder, can I ask if the server directives are correct insofar as > making a secured connection to the backend server entries? > > I'm told that HAP might be connecting by IP in which case the > SSL cert would be useless The documentation of the verify keyword in the server section clarifies this: http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#5.2-verify "The certificate provided by the server is verified using CAs from 'ca-file' and optional CRLs from 'crl-file' after having checked that the names provided in the certificate's subject and subjectAlternateNames attributes match either the name passed using the "sni" directive, or if not provided, the static host name passed using the "verifyhost" directive. When no name is found, the certificate's names are ignored. For this reason, without SNI it's important to use "verifyhost". Lukas
