Configure Haproxy to Terminate SSL/TLS on Ubuntu 14.04

HAProxy is an excellent piece of software load balancer which has very low footprint, low memory consumption and inbuilt ddos protection. HAProxy is highly stable and provides consistent connection to the backend server and have intelligent health check mechanism based on L3, L4, L7 information. Detail Information about how to setup haproxy on ubuntu 14.04, click here

There are two main strategies for handling SSL on haproxy:

SSL Termination is the process of terminating/decrypting an SSL connection at the load balancer, and sending unencrypted connections to the backend servers.

Another one is SSL Pass-Through, which sends SSL connections directly to the backend servers.

This article will walk you through setting up SSL termination on HAProxy, which will eliminate the certification configuration on each and every server you create on backend and provides better performance, availability, and redundancy because it spreads work among many back-end servers.

Note: HAProxy support SSL from version 1.5.

Here, we will be using a self-signed SSL certificate

Generate Certificate and Private Key

openssl genrsa -out /etc/ssl/private/server.key 2048 mkdir /etc/ssl/csr openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/csr/server.csr openssl x509 -req -days 365 -in /etc/ssl/csr/server.csr -signkey /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt cat /etc/ssl/certs/server.crt /etc/ssl/private/server.key > /etc/ssl/certs/server.bundle.pem

Configure HAProxy

Some Key points to remember:

* Disable SSLv3 due to POODLE attack.

* All applications and servers should be using TLS 1.0 and above.

sudo vim /etc/haproxy/haproxy.cfg

Add The following line under global section

ssl-default-bind-options no-sslv3

Add a following line to the bottom of the same file,

frontend haproxy-LB bind *:80 bind *:443 ssl crt /etc/ssl/certs/server.bundle.pem  redirect scheme https if !{ ssl_fc } rspadd Strict-Transport-Security:\ max-age=31536000  rspirep ^(set-cookie:.*) \1;\ Secure default_backend www-backend 

Explanation:

  • bind *:443 tells HAProxy to listen to any request that is sent to the ip address on port 443 (the HTTPS port).
  • ssl crt /etc/ssl/certs/server.bundle.pem tells HAProxy to use the SSL certificate previously generated.
  • redirect scheme https if !{ ssl_fc } redirect to HTTPS if incoming traffic is over HTTP.
  • rspadd Strict-Transport-Security:\ max-age=31536000 a security policy to prevent against downgrade attacks.
  • rspirep ^(set-cookie:.*) \1;\ Secure send cookies over https connection only.

reqadd X-Forwarded-Proto:\ https: Send Only HTTPS request the backend (For SSL Passthrough)

Backend Configuration

Add a following line to the bottom of the same file,

backend www-backend
   server1 app1 app1_private_IP:80 check
   server2 app2 app2_private_IP:80 check

Save and restart haproxy

sudo service haproxy restart

Now you can create some HTML/PHP files on the web servers for testing the HAProxy load balancer. When you make a request to the load balancer’s IP address, you should see your HTML or PHP web content.

Let me know your feedback, Your feedback is important to write more article regarding haproxy.

One Comment

Add a Comment

Your email address will not be published. Required fields are marked *