In our first guide on how to set up HAProxy, we were lazy. When we set up HAProxy we didn’t use any SSL Certificates and let CloudFlare do all of the work. You will want to deal with HTTPS connections over your HAproxy load balancer in some situations. HAProxy HTTPS provides two options to deal with secure connections.
* HAProxy SSL Passthrough
SSL Passthrough does what it says, it takes the connection and throws it to a backend server to decrypt. This could be considered faster but has many drawbacks like hiding the client’s true IP. That’s because we don’t decrypt the data as it passes through the load balancer.
* HAProxy SSL Termination
With SSL Termination, HAProxy decrypts the connection as it hits the load balancer and then either encrypts it again to send on to a backend server or just sends the data in an unencrypted fashion. This is considered the default choice but it depends on how you are using HAProxy.
Set up HAProxy SSL Termination
We have created this guide based on a specific use case. Our customer has a need for a High Availability MySQL Cluster. In a previous article, we created a network of MySQL servers. We have 5 servers in our cluster running Master-Master MySQL Replication. We now need to configure HAProxy to distribute the load over our cluster. This will provide High Availability. Because our cluster is using Cloudflare under “SSL Full” we installed a Cloudflare Origin certificate on our NGINX cluster. Now we are going to configure HAProxy to work with our Cloudflare Origin Certificate too.
HAProxy SSL Certificate
This next step assumes you have your Cloudflare Origin certificate or any other valid certificate on your server. We combined the origin certificate and private key into one file located at /etc/ssl/cert.pem. Open up the /etc/haproxy/haproxy.cfg file. Replace with the following.
frontend http_front bind :80 bind :443 ssl crt /etc/ssl/cert.pem default_backend be_d1 backend be_d1 balance leastconn server S1FR xx.xx.xx.xx:443 check ssl verify none server S2UK xx.xx.xx.xx:443 check ssl verify none server S3DE xx.xx.xx.xx:443 check ssl verify none server S4CA xx.xx.xx.xx:443 check ssl verify none server S5USAW 1xx.xx.xx.xx:443 check ssl verify none global log /dev/log local0 log /dev/log local1 notice # chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy # ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 # ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 # ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http listen stats bind xx.xx.xx.xx:1936 ssl crt /etc/ssl/cert.pem mode http stats enable stats hide-version stats show-node stats realm Haproxy\ Statistics stats uri /haproxy?stats stats admin if TRUE stats auth User:Pass
So, here we can see we are listening for connections on both port 80, insecure. But also on port 443, secure. Note, that we have specified our Cloudflare Origin certificate in the statement.
bind :443 ssl crt /etc/ssl/cert.pem
In the backend be_d1 block, we specify our backend servers. But notice how we append a secure port to the IPs.
backend be_d1 balance leastconn server S1FR xx.xx.xx.xx:443 check ssl verify none server S2UK xx.xx.xx.xx:443 check ssl verify none server S3DE xx.xx.xx.xx:443 check ssl verify none server S4CA xx.xx.xx.xx:443 check ssl verify none server S5USAW 1xx.xx.xx.xx:443 check ssl verify none
HAProxy HTTPS SSL Certificate
The important bit here is the ssl verify none. Connections are encrypted again before being sent on to the backend servers. Without this, we would see an error about insecure connections being sent to a secure port. We are using the same certificate on HAProxy as on our cluster. Finally, restart the cluster.
systemctl restart haproxy
In this example, HAProxy statistics can be viewed at http://IPv4:1936/haproxy?stats. So if we take a look we can see HAProxy HTTPS is routing connections to our backend server.
We can further confirm this over https. Our HAProxy URL is https://dgb-ha.dev.gb.net. So, give it a try, you will be routed to one of the backend servers over a secure connection. Refresh the page after 30 seconds to be sent to a different backend server.
So, in our final guide, we will load balance MySQL connections using HAProxy. Once complete we will have a high availability cluster running MySQL, PHP, NGINX.
How was this article? HAProxy HTTPS / HAProxy SSL
You might also like
More from Linux VPS Servers
How To Install phpIPAM Ubuntu and Debian Servers
phpIPAM is a great tool for managing IP address space. It's a free bit of software that will manage IPv4 …
How to configure additional IPs in a Debian 11 VPS
On Debian 11 instances, we removed the /etc/network/interfaces file and now configure interfaces using Cloud-init on boot. Discovery will send …
Default Ubuntu Sources.List
Default Ubuntu Sources.List The Ubuntu sources.list is where your F2H VPS instances get the latest updates and security fixes directly from …