HAProxy community

SSL between Haproxy and Apache


#1

I need help because I have my web_server in a different datacenter of haproxy_server and I need encrypt the connection,

I have: client => ssl/certbot => Haproxy => http => Apache
I need: client => ssl/certbot => Haproxy => ssl => Apache

If I creat a openssl.privatekey.pem to the haproxy_server and openssl.certificate.pem to the apache_server solve my problem?

frontend http_front
mode http
bind <haproxy_IP_server>:80
bind <haproxy_IP_server>:443 ssl crt /etc/haproxy/certs/example.com.pem

backend haproxy.cfg
mode http
server <apache_server> <IP_apache_server>:81 check ssl verify required ca-file /etc/ssl/certs/openssl.privatekey.pem ???


Encrypt connection
#2

any ideas are welcome :slight_smile:


#3

Do you need to verify the certificate? Then you need to use a CA to sign this certificate, do not use a self signed certificate. ca-file needs the the public CA certificate, not the actual certificate and certainly not the private key.

Is port 81 on your Apache server really configured with SSL? Are you sure?

If you don’t need certificate verification, just disable it with verify none.


#4

Thank you for your answer

1 - I have the certbot in the front of the haproxy

1 - I don’t need a certificate verification between haproxy and Apache, so as you suggest, I will put “verify none”

2 – The port 81 in my Apache is not yet configurate with SSL because I don’t know how encrypt the connection between Haproxy and Apache.

3 – If I put “server <apache_server> <IP_apache_server>:81 check ssl verify no” the connection will be encrypt between Haproxy and Apache?

4 – What I need to do in the Apache to read the SSL traffic from Haproxy_server?

Sorry for so many questions but I’m stock in this problem, thanks in advance


#5

Certbot is not something you put in front of anything. Certbot will request a certificate from ACME CA’s like Let’s Encrypt. That is all.

You need to configure Apache with SSL, otherwise you are not going to achieve what you want. Read and research Apache SSL configuration for this.

You are configuring haproxy to use SSL but failed to configure Apache to use SSL. This will result in a non-working configuration.

Please consult Apache documentation and manual to find out howto configure it.


#6

Thank you very much for your answer,

I’m checking and everything is ok with the following configuration:

frontend http_front
bind <haproxy_IP_server>:80
bind <haproxy_IP_server>:443 ssl crt /etc/haproxy/certs/certbot.com.pem

backend http_back
server <1_web_server> <1_web_server_IP>:80 check weight 1
server <2_web_server> <2_web_server_IP>:80 check weight 1

With this I can get my https://www.example.com site working with SSL.

But I think the connection between haproxy_server and apache_server is not encrypted?
This is correct?


#7

No, the connection is not encrypted.


#8

The haproxy as anything to encrypt or I need use a software like stunnel, openvps or pfsense?


#9

The haproxy as anything to encrypt or I need use a software like stunnel, openvps or pfsense?


#10

You don’t need external software, you need just need to configure both Apache and Haproxy to encrypt the traffic.

Now in haproxy (on the server configuration line) you would add the ssl keyword, verify none and probably adjust the port.

In Apache you have to properly configure a SSL port, and I’m sure you can find tons of informations about this in the Apache documentation and on the Internet.


#11

Thank you lukastribus for your help
As you said I’m trying “ssl verify none” but now I have a problem with my certbot, I only can run my certbot in my haproxy_server, and give me a error when I put the certbot in my apache_server. Any ideas how solve my certbot issue?