= HAProxy SSL = '''`haproxy(1)`''' has two modes for handling [[Encryption/SSL|SSL]]/[[Encryption/TLS|TLS]] encryption. As a reverse proxy server, the common configuration is to '''terminate''' encryption within `haproxy(1)` and pass traffic to backend servers over [[Protocols/HTTP|HTTP]]. The alternative is to '''pass through''' the encrypted traffic as [[Protocols/TCP|TCP packets]]. <> ---- == Certificates == `haproxy(1)` uses '''PEM-formatted certificates''' for encryption. This is simply the certificate and private key concatenated. === Let's Encrypt === If using a [[Encryption/LetsEncrypt|Let's Encrypt]] certificate, note that `certbot(1)` does not generate the required file. The following script can be used by either a `cron` job or set as a `certbot(1)` [[Encryption/Certbot#Hooks|post-installation hook]]. {{{ #!/bin/sh domain="example.com" dir="/etc/letsencrypt/live/${domain}" cat "${dir}/fullchain.pem" "${dir}/privkey.pem" > "${dir}/${domain}.pem" }}} ---- == Termination == To terminate encryption, the `bind` directive requires some additional parameters. {{{ frontend https_frontend bind *:443 ssl crt /path/to/the/pem/certificate alpn h2, http1.1 }}} === Hardening === First, set a minimum version of [[Encryption/TLS|TLS]]. {{{ global ssl-default-bind-options ssl-min-ver TLSv1.2 }}} If a server is configured for HTTPS, consider redirecting HTTP to HTTPS. {{{ http-request redirect scheme https unless { ssl_fc } ...or... http-request redirect scheme https code 301 unless { ssl_fc } }}} The latter will cause the redirect to be cached on clients. These directives can be placed in a `frontend` or `backend` block. ---- == Pass-through == If certificates will not be handled by `haproxy(1)`, then configuration is much the same as with unencrypted traffic. The exception is that mode must be set to `tcp`, as HTTP headers will not be available for inspection. ---- CategoryRicottone