HAProxy SSL Pass-Through Configuration

From NovaOrdis Knowledge Base
Revision as of 23:14, 4 July 2017 by Ovidiu (talk | contribs) (→‎Backend Configuration)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

External

Internal

Overview

Concepts:

HAProxy Concepts - SSL Pass-Through

The default configuration file /etc/haproxy/haproxy.cfg.

Frontend Configuration

Frontend binds on both 80 and 443 to allow both regular and SSL HTTP requests. 

frontend localhost
  bind *:80
  bind *:443
  option tcplog
  mode tcp
  default_backend nodes

Frontend iptables Considerations

If the host HAProxy is deployed on runs iptables, access to ports 80 and 443 has to be explicitly open as follows: 

-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

For more details see iptables - Allow a Web Server on a Specific Interface.

Backend Configuration

Backend also needs to be set in "tcp" mode. 

backend nodes
   mode tcp
   balance roundrobin
   option ssl-hello-chk
   server node01 192.168.1.11:443 check
   server node02 192.168.1.12:443 check

Alternatively, "balance source" can be used.

Backend iptables Considerations

If the backend hosts run iptables, they must be configured to allow new connections on port 443: 

-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

For more details see iptables - Allow a Web Server on a Specific Interface.

Retrieved from "https://kb.novaordis.com/index.php?title=HAProxy_SSL_Pass-Through_Configuration&oldid=25898"