HAProxy SSL Termination

Configuring SSL Termination on HAProxy

SSL termination has been available since the current stable version of HAProxy 1.5, which will need to be built (see parent page of this for instructions on that). This is a very minimalist configuration as every environment is different. I will continue to add specific examples of alternate configurations such as disabling certain CIPHERS (like sslv3 to thwart poodle). As well as adding additional HTTP headers, setting up Layer 7 health checks (http and mysql) and more.

maxconn 1028
user haproxy
group haproxy

timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend https_443_frontend
bind *:443 ssl crt /etc/ssl/certs/centoshowtos.org.pem
mode http
option forwardfor
option http-server-close
option httpclose
# we add this so the backend servers know the request was ssl
# otherwise we could end up in a redirect loop
  reqadd X-Forwarded-Proto:\ https

default_backend http_80_backend

backend http_80_backend
mode http
balance roundrobin
timeout connect 5s
timeout server 30s
server web01
server web02
server web03
server web04