SSL Termination on HAProxy 1.5

Configuring SSL Termination on HAProxy

SSL termination has been available since the current stable version of HAProxy 1.5, which will need to be built (see parent page of this for instructions on that). This is a very minimalist configuration as every environment is different. I will continue to add specific examples of alternate configurations such as disabling certain CIPHERS (like sslv3 to thwart poodle). As well as adding additional HTTP headers, setting up Layer 7 health checks (http and mysql) and more.

global
  maxconn 1028
  daemon
  user haproxy
  group haproxy

defaults
  timeout connect 5000ms
  timeout client 50000ms
  timeout server 50000ms

frontend https_443_frontend
  bind *:443 ssl crt /etc/ssl/certs/centoshowtos.org.pem
  mode http
  option forwardfor
  option http-server-close
  option httpclose
  # we add this so the backend servers know the request was ssl
  # otherwise we could end up in a redirect loop
  reqadd X-Forwarded-Proto:\ https
  
  default_backend http_80_backend

backend http_80_backend
  mode http
  balance roundrobin
  timeout connect 5s
  timeout server 30s
  server web01 10.66.6.11:80
  server web02 10.66.6.12:80
  server web03 10.66.6.13:80
  server web04 10.66.6.14:80

(Comments)

HAProxy SSL Termination

Configuring SSL Termination on HAProxy

Comments