On this post we saw how useful the HAProxy loadbalancer was, and today we have a follow up on how to use SSL with HAProxy.
There are two popular ways: SSL passthrough and SSL termination. Our focus is on the latter.
HAProxy has the ability to decrypt and encrypt traffic it receives and distribute it among the servers.
Since the loadbalancer distributes traffic, it is tedious and at some cases not applicable to distribute SSL certificates to the many servers you have.
This is where SSL termination comes in, where HAProxy decrypts incoming requests, sends it to the servers and encrypts the response from them.
Configuring your Ubuntu HAProxy Load Balancer for SSL Termination
Open the haproxy config file /etc/haproxy/haproxy.cfg
frontend www.mysite.com
bind 10.10.0.5:80
bind 10.10.0.5:443 ssl crt /etc/ssl/certs/my_site_com.pemIn the frontend section, we have used 10.10.0.5 as our sample load balancer anchor IP address.
We are also adding ssl and crt keywords along with the location of our sites SSL certificate.
NOTE: Try to make sure your certificate starts with a combination of your certificate.crt then the bundle(if it exists) and lastly the private.key
Automatically Redirecting HTTP to HTTPS
To enforce HTTPS redirection, add http-request redirect scheme in the frontend section:
frontend www.mysite.com
bind 10.10.0.5:80
bind 10.10.0.5:443 ssl crt /etc/ssl/certs/my_site_com.pem
http-request redirect scheme https unless { ssl_fc }Restart HAProxy
Now that we are done the configuration, save and close, then we should test its validity with the command:
sudo haproxy -f -c /etc/haproxy/haproxy.cfgIf there is no error, or just minor warnings, restart HAProxy:
sudo service haproxy restartNow when you visit your site, it will be SSL secured.
Join to participate in the discussion