Haproxy 1.4 connecting to an https backend servers

2
votes

I'm trying to connect to 2 backend servers over https using port 443, and I want to find a way to send the key & cert files to the servers in the backend. My haproxy.cfg is:

global
    log 127.0.0.1   local0
    log 127.0.0.1   local1 notice
    #log loghost    local0 info
    maxconn 4096
    #chroot /usr/share/haproxy
    user haproxy
    group haproxy
    daemon
    #debug
    #quiet

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    retries 3
    option redispatch
    maxconn 2000
    contimeout  5000
    clitimeout  50000
    srvtimeout  50000

listen stats :8000
    #mode http
    stats enable
    stats realm Haproxy\ Statistics
    stats uri /
    stats auth admin:password


listen  ssl-relay :80
    mode tcp
    balance roundrobin
    stick-table type ip size 200m expire 30m
    stick on src
    server  server01 www.example.com:443 check inter 2000 fall 3
    server  server02 www.example.com:443 check inter 2000 fall 3

How can we make the communication between haproxy server and back-end server secure???

2
ubuntusslhttpsopensslhaproxy

2 Answers

2
votes

Will your clients be using https://myfakepage.com:80 as the url? If not then what you are doing is largely pointless. You are working on an unencrypted connection to the front-end and then an encrypted connection to the backend. The problem is that when the connection goes back to the client, it will be unencrypted so you're not buying yourself anything. If your clients will be using https://pmyfakepage.com:80 then there's nothing to do because haproxy will already be acting as a pass-through for the https traffic.

Are you trying to do SSL termination on the load balancer, if so you're doing it backwards

Your bind secion would look something like

frontend ssl-site
bind *:443 ssl crt /path/to/bundle.pem  #you need to make sure the whole cert path is in one pem file
reqadd X-Forwarded-Proto:\ https
default_backend myServers

backend myServers
balance roundrobin
server server1 www.example.com:80
server server2 www2.example.com:80

but as dtorgo stated, ssl termination in this manner only works on 1.5 and above. Another option if you find stunnel too slow is stud.

Hope this clears things up for ya.

1
votes

haproxy 1.4 does not support SSL. Either update to 1.5 or look at using something like stunnel.

I have used both in a very large enterprise implementation and both products work well. If you want to stick with haproxy 1.4 then the stunnel route is VERY easy. Simply install stunnel on your haproxy servers, listen on a local port, have haproxy connect to that local port and then configure stunnel to point to the remote https endpoint. Besides global settings in stunnel, the actual config would be 3 lines

  1. name
  2. listen port on localhost
  3. destination host and port