HAProxy SSL Pass-Through Configuration: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| (22 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=External= | |||
* https://serversforhackers.com/using-ssl-certificates-with-haproxy | |||
=Internal= | =Internal= | ||
| Line 4: | Line 8: | ||
=Overview= | =Overview= | ||
Concepts: | |||
{{Internal|HAProxy_Concepts#SSL_Pass-Through|HAProxy Concepts - SSL Pass-Through}} | {{Internal|HAProxy_Concepts#SSL_Pass-Through|HAProxy Concepts - SSL Pass-Through}} | ||
The default configuration file /etc/haproxy/haproxy.cfg. | |||
=Frontend Configuration= | =Frontend Configuration= | ||
Frontend binds on both 80 and 443 to allow both regular and SSL HTTP requests. | |||
frontend localhost | frontend localhost | ||
bind *:80 | bind *:80 | ||
bind *:443 | bind *:443 | ||
option tcplog | option [[HAProxy_Configuration#tcplog|tcplog]] | ||
mode tcp | [[HAProxy_Configuration#tcp|mode tcp]] | ||
default_backend nodes | default_backend nodes | ||
==Frontend iptables Considerations== | |||
If the host HAProxy is deployed on runs [[iptables]], access to ports 80 and 443 has to be explicitly open as follows: | |||
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT | |||
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT | |||
For more details see [[Iptables_Command_Line_Tool_Examples#Allow_a_Web_Server_on_a_Specific_Interface|iptables - Allow a Web Server on a Specific Interface]]. | |||
=Backend Configuration= | |||
Backend also needs to be set in "[[HAProxy_Configuration#tcp|tcp]]" mode. | |||
backend nodes | |||
[[HAProxy_Configuration#tcp|mode tcp]] | |||
[[HAProxy_Configuration#balance|balance]] [[HAProxy_Configuration#roundrobin|roundrobin]] | |||
option [[HAProxy_Configuration#ssl-hello-chk|ssl-hello-chk]] | |||
server node01 192.168.1.11:443 check | |||
server node02 192.168.1.12:443 check | |||
Alternatively, "[[HAProxy_Configuration#source|balance source]]" can be used. | |||
==Backend iptables Considerations== | |||
If the backend hosts run [[iptables]], they must be configured to allow new connections on port 443: | |||
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT | |||
For more details see [[Iptables_Command_Line_Tool_Examples#Allow_a_Web_Server_on_a_Specific_Interface|iptables - Allow a Web Server on a Specific Interface]]. | |||
Latest revision as of 23:14, 4 July 2017
External
Internal
Overview
Concepts:
The default configuration file /etc/haproxy/haproxy.cfg.
Frontend Configuration
Frontend binds on both 80 and 443 to allow both regular and SSL HTTP requests.
frontend localhost bind *:80 bind *:443 option tcplog mode tcp default_backend nodes
Frontend iptables Considerations
If the host HAProxy is deployed on runs iptables, access to ports 80 and 443 has to be explicitly open as follows:
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
For more details see iptables - Allow a Web Server on a Specific Interface.
Backend Configuration
Backend also needs to be set in "tcp" mode.
backend nodes mode tcp balance roundrobin option ssl-hello-chk server node01 192.168.1.11:443 check server node02 192.168.1.12:443 check
Alternatively, "balance source" can be used.
Backend iptables Considerations
If the backend hosts run iptables, they must be configured to allow new connections on port 443:
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
For more details see iptables - Allow a Web Server on a Specific Interface.