We have a webserver cluster using haproxy (as I have heard from admins) and it has websites with different domain names, it also takes care of all website certificates. Currently the vip has been made with virtual ip with two real servers. The type of this vip is IP. It turned out later that http sessions broke with some specific websites since the loadbalancing method wasn't aware of http specifics (sessions). We changed our Fortinet cluster to proxy mode and got the "set persistence http-cookie" possibility for vips having type http or https.

Now I found from Fortinet examples that I should create both http and https type vip using the same external IP. In this case, whichever is used from the internet, it will work for the user. (And usually http is redirected to https too inside the webserver.)

The question is related to https vip. It asks for certificate. But certificate is related to the domain of the website the internet user is accessing. And I can't select more than one certificate in the vip configuration. Does that mean I have to create a separate external IP for every different website and use the appropriate certificate for each one of those (and all those point to the same real servers)? Also, changing that certificate later has to be done in both the router and haproxy servers at the same time I guess.

If this is really so I think it's simpler to use separate vips with other external IPs only for those websites that have already appeared problematic. This cluster is getting more and more websites though.

I am not too familiar with website-related possibilities, maybe there is a better way to accomplish that?