Configuring HAProxy SSL Termination

HAProxy is free, open source software that provides a high availability load balancer and proxy server for TCP and HTTP-based applications that spreads requests across multiple servers.

We can Configure HAProry in 2 methods

Here we will discuss about Configuring HAProxy SSL Termination

In order to implement the HAProxy SSL Termination, the SSL certificate and key pair should be in the proper format.

You have to create/have a .pem file by combining SSL certificate and the private key.

1 . Install haproxy from the yum repo (make sure the VM is subscribed)

2 . Modify /etc/haproxy/haproxy.cfg (create backup copy, first, if not part of your standard process)

# Sample haproxy.cfg
#———————————————————————
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#———————————————————————
 
#———————————————————————
# Global settings
#———————————————————————
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the ‘-r’ option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    log         127.0.0.1 local2
 
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
    tune.ssl.default-dh-param   2048  # Add this setting to enable HTPPS Access
 
    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats
 
#———————————————————————
# common defaults that all the ‘listen’ and ‘backend’ sections will
# use if not designated in their block
#———————————————————————
defaults
    mode                    http
    log                     global
   option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000
 
#———————————————————————
# main frontend which proxys to the backends
#———————————————————————
frontend https-in   #create a frontend
    bind *:443  ssl crt <path_of_certificate.pem>  # you need to have the relevant certificate for the domain.
 
    default_backend    app        #This settings points to backend server named ‘app’
 
#———————————————————————
# static backend for serving up images, stylesheets and such
#———————————————————————
#backend static
#    balance     roundrobin
#    server      static 127.0.0.1:4331 check
 
#———————————————————————
# round robin balancing between the various backends
#———————————————————————
backend app
    balance     roundrobin
    server  app1 192.168.1.1:32064 check  # the IP and Port to be defined based on backend server IP and port number

3 . Enable the Services

4 . Enable the Haproxy logging

a . Uncomment the line below the file /etc/haproxy/haproxy.cfg

b . Restart the haproxy service:

# systemctl restart haproxy.service

c . Uncomment the following lines of the file /etc/rsyslog.conf and add the $UDPServerAddress line

d . Create the file haproxy.conf in directory /etc/rsyslog.d/ with content below

# vi /etc/rsyslog.d/haproxy.conf

e . Restart the rsyslog service

 # systemctl restart rsyslog.service

f . Check access logs of the haproxy in the below file

/var/log/haproxy.log

If you want to configure the HAProxy with SSL Bypass go through this blog

Simple and easy….