Ubuntu 16.04
Sponsored Link

HAProxy : SSL Settings
2016/06/07
 
Configure HAProxy with SSL.
The connection between HAproxy and Clients are encrypted with SSL. ( HAproxy - backends are normal )
This example based on the environment like follows.
       |
-------+-----------------------------------------------
       |
       +-------------------+--------------------+
       |10.0.0.30          |10.0.0.51           |10.0.0.52
 +-----+-----+     +-------+------+     +-------+------+
 | Frontend  |     |   Backend#1  |     |   Backend#2  |
 |  HAProxy  |     |  Web Server  |     |  Web Server  |
 +-----------+     +--------------+     +--------------+

[1] Create SSL certificates.
root@dlp:~#
cd /etc/ssl/private

root@dlp:/etc/ssl/private#
openssl req -x509 -nodes -newkey rsa:2048 -keyout haproxy.pem -out haproxy.pem -days 365

Generating a 2048 bit RSA private key
....................................................+++
writing new private key to 'haproxy.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
JP
   
# country

State or Province Name (full name) [Some-State]:
Hiroshima
   
# state

Locality Name (eg, city) []:
Hiroshima
   
# city

Organization Name (eg, company) [Internet Widgits Pty Ltd]:
GTS
   
# company

Organizational Unit Name (eg, section) []:
Server World
   
# department

Common Name (eg, YOUR name) []:
www.srv.world
   
# server's FQDN

Email Address []:
root@srv.world
   
# admin email address
root@dlp:/etc/ssl/private#
chmod 600 haproxy.pem

[2] Configure HAProxy for SSL.
root@dlp:~#
vi /etc/haproxy/haproxy.cfg
# add in the "global" section

global
      # max per-process number of SSL connections

    maxsslconn     256
      # set 2048 bits for Diffie-Hellman key

    tune.ssl.default-dh-param 2048

# add follows in the "frontend" section

frontend  http-in
    bind *:80
      # specify port and certs

    bind *:443 ssl crt /etc/ssl/private/haproxy.pem

root@dlp:~#
systemctl restart haproxy

[3] Make sure all works fine to access to the frontend server from a Client with HTTPS like follows.
 
Tweet