HAProxy : SSL Settings2015/02/18 |
Configure HAProxy with SSL.
The connection between HAproxy and Clients are encrypted with SSL. ( HAproxy - backends are normal ) This example based on the environment like follows. | -------+----------------------------------------------- | +-------------------+--------------------+ |10.0.0.30 |10.0.0.31 |10.0.0.32 +-----+-----+ +-------+------+ +-------+------+ | Frontend | | Backend#1 | | Backend#2 | | HAProxy | | Web Server | | Web Server | +-----------+ +--------------+ +--------------+ |
[1] | Create SSL certificates. |
[root@dlp ~]# cd /etc/pki/tls/certs [root@dlp certs]# openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/haproxy.pem -out /etc/pki/tls/certs/haproxy.pem -days 365 Generating a 2048 bit RSA private key ......++++++ .......++++++ writing new private key to '/etc/pki/tls/certs/haproxy.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: JP # country State or Province Name (full name) [Some-State]: Hiroshima # state Locality Name (eg, city) []: Hiroshima # city Organization Name (eg, company) [Internet Widgits Pty Ltd]: GTS # company Organizational Unit Name (eg, section) []: Server World # department Common Name (eg, YOUR name) []: dlp.srv.world # server's FQDN
Email Address []:
[root@dlp certs]# root@srv.world # admin email address chmod 600 haproxy.pem |
[2] | Configure HAProxy for SSL. |
[root@dlp ~]#
vi /etc/haproxy/haproxy.cfg # add in the "global" section global # max per-process number of SSL connections maxsslconn 256 # set 2048 bits for Diffie-Hellman key tune.ssl.default-dh-param 2048 # add follows in the "frontend" section frontend http-in bind *:80 # specify port and certs bind *:443 ssl crt /etc/pki/tls/certs/haproxy.pem systemctl restart haproxy |
[3] | Make sure all works fine to access to the frontend server from a Client with HTTPS like follows. |
Sponsored Link |