HAProxy SSL Pass-Through Configuration: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(23 intermediate revisions by the same user not shown)
Line 1: Line 1:
=External=
* https://serversforhackers.com/using-ssl-certificates-with-haproxy
=Internal=
=Internal=


Line 4: Line 8:


=Overview=
=Overview=
Concepts:


{{Internal|HAProxy_Concepts#SSL_Pass-Through|HAProxy Concepts - SSL Pass-Through}}
{{Internal|HAProxy_Concepts#SSL_Pass-Through|HAProxy Concepts - SSL Pass-Through}}
The default configuration file /etc/haproxy/haproxy.cfg.
=Frontend Configuration=
Frontend binds on both 80 and 443 to allow both regular and SSL HTTP requests.
frontend localhost
  bind *:80
  bind *:443
  option [[HAProxy_Configuration#tcplog|tcplog]]
  [[HAProxy_Configuration#tcp|mode tcp]]
  default_backend nodes
==Frontend iptables Considerations==
If the host HAProxy is deployed on runs [[iptables]], access to ports 80 and 443 has to be explicitly open as follows:
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
For more details see [[Iptables_Command_Line_Tool_Examples#Allow_a_Web_Server_on_a_Specific_Interface|iptables - Allow a Web Server on a Specific Interface]].
=Backend Configuration=
Backend also needs to be set in "[[HAProxy_Configuration#tcp|tcp]]" mode.
backend nodes
    [[HAProxy_Configuration#tcp|mode tcp]]
    [[HAProxy_Configuration#balance|balance]] [[HAProxy_Configuration#roundrobin|roundrobin]]
    option [[HAProxy_Configuration#ssl-hello-chk|ssl-hello-chk]]
    server node01 192.168.1.11:443 check
    server node02 192.168.1.12:443 check
Alternatively, "[[HAProxy_Configuration#source|balance source]]" can be used.
==Backend iptables Considerations==
If the backend hosts run [[iptables]], they must be configured to allow new connections on port 443:
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
For more details see [[Iptables_Command_Line_Tool_Examples#Allow_a_Web_Server_on_a_Specific_Interface|iptables - Allow a Web Server on a Specific Interface]].

Latest revision as of 23:14, 4 July 2017

External

Internal

Overview

Concepts:

HAProxy Concepts - SSL Pass-Through

The default configuration file /etc/haproxy/haproxy.cfg.

Frontend Configuration

Frontend binds on both 80 and 443 to allow both regular and SSL HTTP requests.

frontend localhost
  bind *:80
  bind *:443
  option tcplog
  mode tcp
  default_backend nodes

Frontend iptables Considerations

If the host HAProxy is deployed on runs iptables, access to ports 80 and 443 has to be explicitly open as follows:

-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

For more details see iptables - Allow a Web Server on a Specific Interface.

Backend Configuration

Backend also needs to be set in "tcp" mode.

backend nodes
   mode tcp
   balance roundrobin
   option ssl-hello-chk
   server node01 192.168.1.11:443 check
   server node02 192.168.1.12:443 check

Alternatively, "balance source" can be used.

Backend iptables Considerations

If the backend hosts run iptables, they must be configured to allow new connections on port 443:

-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

For more details see iptables - Allow a Web Server on a Specific Interface.