= HAProxy SSL =

'''`haproxy(1)`''' has two modes for handling [[Encryption/SSL|SSL]]/[[Encryption/TLS|TLS]] encryption.

As a reverse proxy server, the common configuration is to '''terminate''' encryption within `haproxy(1)` and pass traffic to backend servers over [[Protocols/HTTP|HTTP]].

The alternative is to '''pass through''' the encrypted traffic as [[Protocols/TCP|TCP packets]].

<<TableOfContents>>

----



== Certificates ==

`haproxy(1)` uses '''PEM-formatted certificates''' for encryption. This is simply the certificate and private key concatenated.



=== Let's Encrypt ===

If using a [[Encryption/LetsEncrypt|Let's Encrypt]] certificate, note that `certbot(1)` does not generate the required file. The following script can be used by either a `cron` job or set as a `certbot(1)` [[Encryption/Certbot#Hooks|post-installation hook]].

{{{
#!/bin/sh

domain="example.com"
dir="/etc/letsencrypt/live/${domain}"

cat "${dir}/fullchain.pem" "${dir}/privkey.pem" > "${dir}/${domain}.pem"
}}}

----



== Termination ==

To terminate encryption, the `bind` directive requires some additional parameters. 

{{{
frontend https_frontend
  bind *:443 ssl crt /path/to/the/pem/certificate alpn h2, http1.1
}}}



=== Hardening ===

First, set a minimum version of [[Encryption/TLS|TLS]].

{{{
global
  ssl-default-bind-options ssl-min-ver TLSv1.2
}}}

If a server is configured for HTTPS, consider redirecting HTTP to HTTPS.

{{{
  http-request redirect scheme https unless { ssl_fc }
  ...or...
  http-request redirect scheme https code 301 unless { ssl_fc }
}}}

The latter will cause the redirect to be cached on clients.

These directives can be placed in a `frontend` or `backend` block.

----



== Pass-through ==

If certificates will not be handled by `haproxy(1)`, then configuration is much the same as with unencrypted traffic. The exception is that mode must be set to `tcp`, as HTTP headers will not be available for inspection.



----
CategoryRicottone