HAProxy community

SSL/TLS offloading / Let's Encrypt - tcp only


#1

Hello team

I have task to reroute socket connection via SSL/TLS port to noSSL port with

I have task to:

  1. receive TCP incoming socket connection with SSL/TLS verification (with Let’s Encrypt certificate for domain) - port 3433
  2. Decrypt data and resend (no SSL/TLS) data to port 3000 on same server
  3. sure keep such socket connection a long time alive

I found such description - https://www.haproxy.com/documentation/haproxy/deployment-guides/tls-infrastructure/#ssl-tls-offloading

But cant understand:

  1. this config i have to replace default config?
  2. how can i connect Let’s Encrypt certificate?
  3. Enable full logs

Help me please on this config.
How real config have to be?

Thanks


#2

Hi, I had the same issue.
It is commonly referred to as SSL termination, here are a few links with some example configs

What is critical is to ensure you place the following in the “backend” configuration

http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }

and make sure you check for cookies or you will have problems with sessions.

The following is the “stock” config used for development servers

backend dev4-backend
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
option forwardfor
cookie SERVERID insert indirect nocache
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
server dev4 192.168.10.54:80 check inter 1000 check cookie dev4

hope this helps,

Cheers,
Gerald


#3

frontend my_front_end_serv
bind 0.0.0.0:3433
mode http
option httplog
default_backend my_backend_serv

backend my_backend_serv
mode http
default-server inter 10s fall 3 rise 2
balance roundrobin
cookie SERVERID insert indirect nocache
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if {ssl_fc}
option forwardfor
server SERVER1 127.0.0.1:3000 check inter 5s cookie SERVER1

Cookie check is not required in case it is one server and you don’t need session sticky-ness. However, if authentication cookies are involved, then you need to have sticky sessions.

Keep alive is the default behavior of HAProxy since version 1.5 so that shouldn’t be a problem.