HAProxy SSL

haproxy(1) has two modes for handling SSL/TLS encryption.

As a reverse proxy server, the common configuration is to terminate encryption within haproxy(1) and pass traffic to backend servers over HTTP.

The alternative is to pass through the encrypted traffic as TCP packets.

Contents

  1. HAProxy SSL
    1. Certificates
      1. Let's Encrypt
    2. Termination
      1. Hardening
    3. Pass-through

Certificates

haproxy(1) uses PEM-formatted certificates for encryption. This is simply the certificate and private key concatenated.

Let's Encrypt

If using a Let's Encrypt certificate, note that certbot(1) does not generate the required file. The following script can be used by either a cron job or set as a certbot(1) post-installation hook. 

domain="example.com"
dir="/etc/letsencrypt/live/${domain}"

cat "${dir}/fullchain.pem" "${dir}/privkey.pem" > "${dir}/${domain}.pem"

Termination

To terminate encryption, the bind directive requires some additional parameters. 

frontend https_frontend
  bind *:443 ssl crt /path/to/the/pem/certificate alpn h2, http1.1

Hardening

First, set a minimum version of TLS. 

global
  ssl-default-bind-options ssl-min-ver TLSv1.2

If a server is configured for HTTPS, consider redirecting HTTP to HTTPS. 

  http-request redirect scheme https unless { ssl_fc }
  ...or...
  http-request redirect scheme https code 301 unless { ssl_fc }

The latter will cause the redirect to be cached on clients.

These directives can be placed in a frontend or backend block.

Pass-through

If certificates will not be handled by haproxy(1), then configuration is much the same as with unencrypted traffic. The exception is that mode must be set to tcp, as HTTP headers will not be available for inspection.

CategoryRicottone

HAProxy/SSL (last edited 2023-04-08 17:30:16 by DominicRicottone)