To use this site please enable javascript on your browser! SSL Termination with HAProxy on Ubuntu

We use cookies, as well as those from third parties, for sessions in order to make the navigation of our website easy and safe for our users. We also use cookies to obtain statistical data about the navigation of the users.

See Terms & Conditions

SSL Termination with HAProxy on Ubuntu

by Bryce Andy 09:10 Oct 04 '21

On this post we saw how useful the HAProxy loadbalancer was, and today we have a follow up on how to use SSL with HAProxy.

There are two popular ways: SSL passthrough and SSL termination. Our focus is on the latter.

SSL Termination
Illustration from

HAProxy has the ability to decrypt and encrypt traffic it receives and distribute it among the servers.

Since the loadbalancer distributes traffic, it is tedious and at some cases not applicable to distribute SSL certificates to the many servers you have.

This is where SSL termination comes in, where HAProxy decrypts incoming requests, sends it to the servers and encrypts the response from them.

Configuring your Ubuntu HAProxy Load Balancer for SSL Termination

Open the haproxy config file /etc/haproxy/haproxy.cfg

    bind ssl crt /etc/ssl/certs/my_site_com.pem

In the frontend section, we have used as our sample load balancer anchor IP address.

We are also adding ssl and crt keywords along with the location of our sites SSL certificate.

NOTE: Try to make sure your certificate starts with a combination of your certificate.crt then the bundle(if it exists) and lastly the private.key

Automatically Redirecting HTTP to HTTPS

To enforce HTTPS redirection, add http-request redirect scheme in the frontend section:

    bind ssl crt /etc/ssl/certs/my_site_com.pem
    http-request redirect scheme https unless { ssl_fc }

Restart HAProxy

Now that we are done the configuration, save and close, then we should test its validity with the command:

sudo haproxy -f -c /etc/haproxy/haproxy.cfg

If there is no error, or just minor warnings, restart HAProxy:

sudo service haproxy restart

Now when you visit your site, it will be SSL secured.

If you like this content, please consider buying me coffee.
Thank you for your support!

Become a Patron!