SSL magic with a load balancer

I’m looking at trying to clean up some of our service configurations, so that each stack can potentially run it’s own dedicated load balancer. I’m running in to inevitable port conflicts, and although I don’t think what I"m trying to do will be possible, I thought it worth asking the question on the off-chance that somebody has a clever solution!

I have Service A in a stack, which I want to serve with the domain a.example.com, over port 443 with SSL.

I have Service B in another stack, which I want to serve with the domain b.example.com, over port 443 with SSL.

I can configure a load balancer in one or other of the stacks, listening on port 443, with advanced routing redirecting to the appropriate service, based on hostname. I can also get this working with SSL configured.

This doesn’t scale well though. If I configure this load balancer in Service A’s stack, then maintenance on Service A stack can affect Service B. Also, I don’t think I can easily configure more than two SSL certificates.

I could configure the load balancer entirely in it’s own stack, but that means there’s more decoupling than I’d like (and also doesn’t solve the scaling of the SSL config). Is there a clever way I can configure Service A and Service B, so that they have their own load balancers configured to listen on the same port, but for different domains?

Have you looked at our hostname routing rules?

In the UI:
http://docs.rancher.com/rancher/latest/en/rancher-ui/applications/stacks/adding-balancers/#advanced-routing-options

In rancher-compose:
http://docs.rancher.com/rancher/latest/en/rancher-compose/rancher-services/#advanced-load-balancing-l7

The only caveat would be that we don’t support being able to use different SSL certificates with hostname routing.

Thanks for the suggestion Denise. We’re currently using hostname routing, and it works beautifully. What I’m really interested in discovering though is: is it possible to configure two load balancers, with two different domains, but listening on the same port?

On different hosts yes, on the same one no. A container has to be bound to a single container.