Configuring HAProxy SSL Bypass

HAProxy is free, open source software that provides a high availability load balancer and proxy server for TCP and HTTP-based applications that spreads requests across multiple servers.

Why use SSL Passthrough instead of SSL Termination?

The main reason is if a company requires encrypted communication internally, as well as externally.  With SSL Termination, the request between the load balancer and the client is encrypted.  But the load balancer takes on the role to decrypt and passes that back to the server.

With SSL Pass-through, the request goes through the load balancer as is, and the decryption happens on the Application server.

1 . Install haproxy from the yum repo (make sure the VM is subscribed)

2 . Modify /etc/haproxy/haproxy.cfg (create backup copy, first, if not part of your standard process)

# Sample haproxy.cfg
# Example configuration for a possible web application.  See the
# full configuration options online.
# Global settings
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the ‘-r’ option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #    local2.*                       /var/log/haproxy.log
    log local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/
    maxconn     4000
    user        haproxy
    group       haproxy
    tune.ssl.default-dh-param   2048  # Add this setting to enable HTPPS Access
    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats
# common defaults that all the ‘listen’ and ‘backend’ sections will
# use if not designated in their block
    mode                    http
    log                     global
   option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000
# main frontend which proxys to the backends
frontend https-in   #create a frontend
    bind *:443 
    mode tcp
    option tcplog 
    default_backend    app        #This settings points to backend server named ‘app’

# static backend for serving up images, stylesheets and such
#backend static
#    balance     roundrobin
#    server      static check
# round robin balancing between the various backends
backend app
    mode tcp
    option ssl-hello-check
    balance     roundrobin
    server  app1 check  # the IP and Port to be defined based on backend server IP and port number

3 . Enable the Services

4 . Enable the Haproxy logging

a . Uncomment the line below the file /etc/haproxy/haproxy.cfg

b . Restart the haproxy service:

# systemctl restart haproxy.servicec

c . Uncomment the following lines of the file /etc/rsyslog.conf and add the $UDPServerAddress line

d . Create the file haproxy.conf in directory /etc/rsyslog.d/ with content below

# vi /etc/rsyslog.d/haproxy.conf

e . Restart the rsyslog service

 # systemctl restart rsyslog.service

f . Check access logs to the haproxy in the file


If you want to configure the HAProxy with SSL Termination go through this blog

One Reply to “Configuring HAProxy SSL Bypass”

  1. There may be noticeably a bundle to find out about this. I assume you made certain nice points in options also.

Leave a Reply

Your email address will not be published. Required fields are marked *