HAproxy with SSL termination

# HAproxy with SSL termination ###### tags: `linux` `ssl` `haproxy` One HAProxy server and two Nginx servers as back-end The HAProxy server has two NICs; one to front-end network (192.168.56.0/24) and one to back-end network (10.0.2.0/24). ``` 1. install haproxy apt-get install haproxy -y 2. generate self-signed certification root@python:~/ssl# openssl genrsa -out ./haproxy.key 1024 Generating RSA private key, 1024 bit long modulus ............++++++ ...............................................................++++++ e is 65537 (0x10001) root@python:~/ssl# openssl req -new -key ./haproxy.key -out ./haproxy.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:Sydney Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:yujungcheng.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: root@python:~/ssl# openssl x509 -req -days 365 -in ./haproxy.csr -signkey ./haproxy.key -out ./haproxy.crt Signature ok subject=/C=AU/ST=Some-State/L=Sydney/O=Internet Widgits Pty Ltd/CN=yujungcheng.com Getting Private key root@python:~/ssl# ls -l total 12 -rw-r--r-- 1 root root 871 Aug 18 23:59 haproxy.crt -rw-r--r-- 1 root root 664 Aug 18 23:58 haproxy.csr -rw-r--r-- 1 root root 887 Aug 18 23:53 haproxy.key root@python:~/ssl# cat ./haproxy.crt ./haproxy.key | tee ./haproxy.pem -----BEGIN CERTIFICATE----- MIICVzCCAcACCQCnxDVKt+/cVDANBgkqhkiG9w0BAQsFADBwMQswCQYDVQQGEwJB VTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UEBwwGU3lkbmV5MSEwHwYDVQQK DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGDAWBgNVBAMMD3l1anVuZ2NoZW5n LmNvbTAeFw0xODA4MTgxNTU5MTlaFw0xOTA4MTgxNTU5MTlaMHAxCzAJBgNVBAYT AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ8wDQYDVQQHDAZTeWRuZXkxITAfBgNV BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAwwPeXVqdW5nY2hl bmcuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLu2VlTb2lRP484JAt Le3UqOKStOJG+6t6w0GbUEt1KV+PdZlJ4cG2oSEHCR2cddyYADwrG1T34QF4d6+n 6XYoi5xlJPo77Edi+JyuXOk3Vx4pSDb//ImC13bVobMUMhT8o1Xf9msm1bd65RdH u0eDFcWdWSxdEMV6NMABr6ETqwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAEltrzaK tHtnFHFnX75jj6SbgjB/hh3bpKS8KcJfynpSF1Wva2LfapX5s1Pj1QmSxtIbJaDr r4ybjXWYxKDETvoTNo5GoRwMi1fjGrFQZX9HZdt5or/elmDL9MvTFQPhva5euEg5 tmFY1KydtnEBddopbZIotJVYdlZKJfFlvQwn -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDLu2VlTb2lRP484JAtLe3UqOKStOJG+6t6w0GbUEt1KV+PdZlJ 4cG2oSEHCR2cddyYADwrG1T34QF4d6+n6XYoi5xlJPo77Edi+JyuXOk3Vx4pSDb/ /ImC13bVobMUMhT8o1Xf9msm1bd65RdHu0eDFcWdWSxdEMV6NMABr6ETqwIDAQAB AoGAW4gB8hWPUqVApBEwNVwhMh3+TXM/Bi0jya/X1fOpMyY3bLik+fCXm3mg4QxT ZWv+g7v3TFanQgaxJnJ/VK0rDBZJfaf0+JT0L3vJHsHf7BBJNo69DvA9S9iFRXNP XZLIobHsfQbFi8N1jKlsC+7ryhNjtH8W6EkKXqbk+HzKl+ECQQD5iK8Nk6H7/wKR hwpEy69f/Iu3gG3vVFv4hTHx4xIUvkj0VvgkEvC79htJTCLYHpHyVngxFk8LK4ea nuiKPqGPAkEA0QLhGVw7mrALrxqyStU+7hP1NLqf/Ho4UEZ69PGhe6Ma0AQG62Wl +OnjfshZnp15VfNw8rUQj6V/IOWZQJ+mJQJBAPboH0ZQ0VQ2dQUoWKnP3V0d1+Wf p6fLkiFrMgtFAqwRyMA0md2f/CIQF9nEAypTvVfL5au0hkvoK4p8OF4qMNMCQEtC TCdDjLrAVRSx+izz5/r1+L8Jy/2vTIOrPS7hqpHIQylPqeYs7bxZC29lWM/CSCRo yey6wcHXh5Ui1zHrynkCQDd06rwSXrX7sx6UhWnL/6654rWH8GCJqCXE2h2+csX5 KfSgINHrqmrN9Byxol2jB5vQCSJ/lThTbq96iOOLmL0= -----END RSA PRIVATE KEY----- !!! Finally, you get the haproxy.pem file, it is still just a certificate, but with key and certificate authorities concatenated into a file. 3. edit /etc/haproxy/haproxy.cfg by add following in the end frontend haproxy_server bind *:80 option forwardfor default_backend nginx_servers frontend haproxy_localhost bind *:80 bind *:443 ssl crt /root/ssl/haproxy.pem mode http default_backend nginx_servers backend nginx_servers balance roundrobin mode http server nginx_1_chk 10.0.2.103:80 check server nginx_2_chk 10.0.2.104:80 check option httpchk HEAD / HTTP/1.1\r\nHost:localhost !!! about the check option This option enables health checks on the server. By default, a server is always considered available. If "check" is set, the server is available when accepting periodic TCP connections, to ensure that it is really able to serve requests. The default address and port to send the tests to are those of the server, and the default source is the same as the one defined in the backend. It is possible to change the address using the "addr" parameter, the port using the "port" parameter, the source address using the "source" address, and the interval and timers using the "inter", "rise" and "fall" parameters. The request method is define in the backend using the "httpchk", "smtpchk", "mysql-check", "pgsql-check" and "ssl-hello-chk" options. Please refer to those options and parameters for more information. Reference: http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-option%20httpchk 4. verify the config file (optionally) haproxy -f /etc/haproxy/haproxy.cfg -c !!! enter follow command to monitor live traffice by enable debugging. haproxy -f /etc/haproxy/haproxy.cfg -d 5. restart haproxy service haproxy restart ``` 6. test ![](https://i.imgur.com/fcdgofG.png) Ref: A basic use of HAProxy reference from "https://devops.profitbricks.com/tutorials/install-and-configure-haproxy-load-balancer-on-ubuntu-1604/" SSL Termination reference from "https://serversforhackers.com/c/using-ssl-certificates-with-haproxy"