On Wed, May 19, 2021 at 06:38:16PM -0400, Wietse Venema wrote:
> With a load balancer, the backend hosts don't need to exist in DNS,
> and the backend hosts don't even need a globally unique IP address.
> They can sit on 10.0.0.1 and 10.0.0.2 and have fake hostnames.
>
> What matters is that the servers on those backend hosts greet
> and respond to the client with a public DNS name, and in particular,
> that they present a certificate for that public DNS name.
>
> In this light, it is natural to give the proxy host the public DNS
> name and IP address, because that is the only name and address that
> matters to the client.
This is what the CNAME accomplishes. The reason for a CNAME is that
load balancers often have multiple logical clusters they front-end.
If it is just one cluster, then sure, skip the CNAME and use the
name of the proxy, but it can still be the backend servers that
do certificate renewal.
If the haproxy server is just as trusted as the backends, and can run
ACME, and is trusted to rsync to the backend servers, (this increases
the attack surface), then one could do ACME on the proxy (treating
it essentially as one of the cluster members I was describing).
--
Viktor.
