HAProxy SSL Pass-Through Configuration: Difference between revisions
Jump to navigation
Jump to search
(9 intermediate revisions by the same user not shown) | |||
Line 8: | Line 8: | ||
=Overview= | =Overview= | ||
Concepts: | |||
{{Internal|HAProxy_Concepts#SSL_Pass-Through|HAProxy Concepts - SSL Pass-Through}} | {{Internal|HAProxy_Concepts#SSL_Pass-Through|HAProxy Concepts - SSL Pass-Through}} | ||
The default configuration file /etc/haproxy/haproxy.cfg. | |||
=Frontend Configuration= | =Frontend Configuration= | ||
Line 22: | Line 26: | ||
default_backend nodes | default_backend nodes | ||
==iptables Considerations== | ==Frontend iptables Considerations== | ||
If the host HAProxy is deployed on runs [[iptables]], access to ports 80 and 443 has to be explicitly open as follows: | If the host HAProxy is deployed on runs [[iptables]], access to ports 80 and 443 has to be explicitly open as follows: | ||
For more details see | -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT | ||
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT | |||
For more details see [[Iptables_Command_Line_Tool_Examples#Allow_a_Web_Server_on_a_Specific_Interface|iptables - Allow a Web Server on a Specific Interface]]. | |||
=Backend Configuration= | =Backend Configuration= | ||
Line 33: | Line 40: | ||
backend nodes | backend nodes | ||
[[HAProxy_Configuration#tcp|mode tcp]] | [[HAProxy_Configuration#tcp|mode tcp]] | ||
balance roundrobin | [[HAProxy_Configuration#balance|balance]] [[HAProxy_Configuration#roundrobin|roundrobin]] | ||
option [[HAProxy_Configuration#ssl-hello-chk|ssl-hello-chk]] | option [[HAProxy_Configuration#ssl-hello-chk|ssl-hello-chk]] | ||
server node01 192.168.1.11:443 check | server node01 192.168.1.11:443 check | ||
server node02 192.168.1.12:443 check | server node02 192.168.1.12:443 check | ||
Alternatively, "[[HAProxy_Configuration#source|balance source]]" can be used. | |||
==Backend iptables Considerations== | |||
If the backend hosts run [[iptables]], they must be configured to allow new connections on port 443: | |||
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT | |||
For more details see [[Iptables_Command_Line_Tool_Examples#Allow_a_Web_Server_on_a_Specific_Interface|iptables - Allow a Web Server on a Specific Interface]]. |
Latest revision as of 23:14, 4 July 2017
External
Internal
Overview
Concepts:
The default configuration file /etc/haproxy/haproxy.cfg.
Frontend Configuration
Frontend binds on both 80 and 443 to allow both regular and SSL HTTP requests.
frontend localhost bind *:80 bind *:443 option tcplog mode tcp default_backend nodes
Frontend iptables Considerations
If the host HAProxy is deployed on runs iptables, access to ports 80 and 443 has to be explicitly open as follows:
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
For more details see iptables - Allow a Web Server on a Specific Interface.
Backend Configuration
Backend also needs to be set in "tcp" mode.
backend nodes mode tcp balance roundrobin option ssl-hello-chk server node01 192.168.1.11:443 check server node02 192.168.1.12:443 check
Alternatively, "balance source" can be used.
Backend iptables Considerations
If the backend hosts run iptables, they must be configured to allow new connections on port 443:
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
For more details see iptables - Allow a Web Server on a Specific Interface.