I am using Haproxy 2.05 (upgraded from 1.8 onwards) with HTTP1.1 and SSL pass through configured and working fine on FreeBSD 11.2 with OpenSSL 1.0.x + LetsEncrypt TLS1.2 certs and few backends running Apache and Nginx servers.
Now I am upgrading to a new server running FreeBSD 12.0 and OpenSSL 1.1.1c (OpenSSL has been installed from ports).
I am curious to know if I could enable HTTP2 with SSL pass through. I am not able to find much info on how to do this if it possible with Haproxy 2.05 and all my trial and error have been failing as of now. If it is possible, kindly share how to achieve this.
Or, is SSL termination the only way out to enable HTTP2 with TL1.2+? I have read a bit about CPU spikes in case of SSL termination mode, although I have never personally tried this option. Is that true? Which option would be better to use in production with just a few servers? We haven’t had too much traffic (less than 2k hits daily) but expect it to rise considerably (maybe 20-30k hits daily) in the near future.
I am still learning the tricks of the trade so please do excuse me in case my queries seem too naive.
No. SSL pass through means that everything is end-to-end encrypted, which means that haproxy does not have visibility into even higher protocols like HTTP. If you want HTTP2 with SSL pass through, you need to enable HTTP2 on your backend server, Apache and nginx, where you terminate SSL and leave haproxy configuration untouched.
enable HTTP2 on your backend server, leaving haproxy in TCP mode, passing through SSL and all it’s encrypted payloads, or
actually terminate SSL on haproxy and enable whatever feature you like, including HTTP2
SSL handshakes are demanding. Currently you have the SSL handshake CPU load on your backend server. If you terminate SSL on the load-balancer, this load will move to haproxy.
I can generate separate certs if required… but maybe my configs are not up to the mark. So I pasted the relevant configs (with IPs and paths hidden) for HA-Proxy, Apache and Nginx on the current server. My apologies in case configs should be attached separately here, but being new I am unable to find a way to do so.
Kindly have a look and let me know if there is anything I am doing wrong or can be improved upon.
Thanks in advance for all your help.
Have a great weekend!
log /var/run/log local0 notice