SSL certificates


#1

How i use ssl web server in the background
can anyone give me sample?
i already done in normal http but how Can i do https please guide me through process


#2

Hi,

Yes you can use SSL enabled webservers in the HAProxy backend.
HAProxy by design is a proxy and threfore maintains 2 different connections:
1. Connection between the client and the HAProxy.
2. Connection between the server and the HAProxy.

This design therefore allows HAProxy to use different protocols on each type of connection. Hence, SSL can be used for both of these connections or either of these connections. Depending on the way SSL is used, HAProxy can work in following 4 designs:
1. SSL/TLS Pass-through : In this design, HAProxy doesn’t decipher the traffic. It just opens a TCP tunnel between the client and the server and let them together negotiate and handle the SSL traffic.
2. SSL/TLS Termination : In this design, HAProxy decipher the traffic on the client side and gets connected in the clear (without SSL) to the server side.
3. SSL/TLS Bridging : In this design, HAProxy decipher the traffic on the client side and re-encrypt it on the server side.
4. SSL/TLS Encryption: In this mode, HAProxy get the traffic in clear on the client side and uses TLS to get connected on the server side.

Below are the steps to be performed to handle SSL connection at HAProxy:

  1. Place the .pem file of the SSL certificate in a /etc/ssl/certs/

  2. Use below lines in the frontend section of HAProxy configuration to use HAProxy in SSL/TLS Termination design.
    frontend abc
    mode http
    bind ha.nec.com:443 ssl crt /etc/ssl/certs/haproxy_certificate.pem

    Use below lines in the frontend and backend section of HAProxy configuration to use HAProxy in SSL/TLS pass-through design.
    frontend abc
    mode tcp
    bind ha.nec.com:443
    default_backend xyz
    backend xyz
    mode tcp
    server wbs1.nec.com 10.0.4.113:443

    Use below lines in the frontend and backend section of HAProxy configuration to use HAproxy in SSL Bridging design.
    frontend abc
    mode http
    bind ha.nec.com:443 ssl crt /etc/ssl/certs/haproxy_certificate.pem
    default_backend xyz
    backend xyz
    mode http
    server wbs1.nec.com 10.0.4.113:443 check ssl cookie 1

Use below lines in the frontend and backend section of HAProxy configuration to use HAproxy in SSL Encryption design.
frontend abc
mode http
bind ha.nec.com:80
default_backed xyz
backend xyz
mode http
server wbs1.nec.com 10.0.4.113:443 check ssl cookie 1

  1. Restart haproxy.service after the configurational changes.

Hope this is helpful !