Bootstrap FreeKB - HAProxy (Load Balance) - SSL Configuration
HAProxy (Load Balance) - SSL Configuration
Updated:   |  HAProxy (Load Balance) articles

This assumes you have installed HAProxy.

There are a few ways to configure HAProxy SSL. One way is that the HAProxy frontend would be configured with SSL, the backends would not be configured with SSL. This is known as SSL Termination or Edge SSL.

 

Another way is that the frontend would not be configured with SSL, and the backends would be configured with SSL.

 

Or you could have any sort of mixture of the two, where some frontends are configured with SSL, others are not, some backends are configured with SSL, others are not.

Frontend SSL

Let's say you want requests submitted into HAProxy on port HTTPS port 443 (frontend) to be forwarded to the two web servers (backend). In this scenario, haproxy.cfg would contain something like this.

Notice that in frontend, a wildcard is used in the bind directive instead of the HAProxy servers hostname or IP address. This is usually a good idea, because then if the hostname or IP address of your HAProxy server changes, you don't need to change the hostname or IP address of the HAProxy server in haproxy.cfg.

Notice also that the bind directive points to the /etc/pki/tls/foo.pem file. The PEM file will need to contain both the public certificate and private key that will be used for SSL termination. OpenSSL can be used to create a PEM file that contains both a public certificate and private key.

Notice also that the two web servers in the backend are using port 80. In this scenario, HAProxy will be taking care of the SSL negotiation, and then passing requests onto the web servers over HTTP (no SSL).

If you have a firewall, such as iptables or firewalld, allow port 443 in the firewall, and then restart the haproxy service for this change to take effect.

frontend main
    bind *:443 ssl crt /etc/pki/tls/foo.pem
    default_backend webservers

backend webservers
    balance roundrobin
    server webservers1 www1.example.com:80 check
    server webservers2 www2.example.com:80 check

 

Let's say index.html on the www1.example.com web server contains "web server A" and index.html on the other web server www2.example.com contains "web server B". When navigating to http://<ip address or hostname>/index.html, where "ip address or hostname" is the IP address or hostname of your HAProxy service, the request should first be routed to web server A.

 

Refreshing the web browser, the next request should go to web server B. 

 

Backend SSL

And here is an example of how to set up backend SSL.

frontend main
    default_backend webservers

backend webservers
    balance roundrobin
    server webservers1 www1.example.com:443 check ssl ca-file /etc/pki/tls/foo.pem
    server webservers2 www2.example.com:443 check ssl ca-file /etc/pki/tls/foo.pem

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 944781 in the box below so that we can be sure you are a human.