We have setup haproxy and its working fine. We enable ssl as well. We actually have a .pem file with a combination of .crt and .key. Now we want to secure the key so that no one can view it. Please advice what we need to do ?
I don’t think what you’re asking for is currently possible. I’ve seen something like this in Nginx’s documentation, but even they say:
For the large majority of organizations, it is sufficient to restrict access to the environments running NGINX so that unauthorized users cannot gain
rootaccess and cannot look at NGINX configuration.
(Source: Secure Distribution of SSL Private Keys with NGINX - NGINX)
If other users can gain root, there’s no point in taking any further action, as users would still have the ability to see the key. My certificates are automated, and they are set with:
chown haproxy /path/to/the/cert ← Sets HAProxy as the owner
chmod 400 /path/to/the/cert ← Sets the permissions where only the owner can read the file.
Of course, root always has permission to everything. With these settings, no other user can read the file except for the owner (haproxy) and root.
The haproxy user in most cases does not need access to the certificates, because haproxy usually starts as root, bind all the ports and reads all the files it needs to read as root, and only afterwards drops privileges to whatever user is specified.
So you could chown root:root and chmod 000 it if you want.
1 Like