A, an overview of

Haproxy has two policies that support SSL.

1, SSL Termination

This policy is the practice of terminating/decrypting SSL connections at HaProxy and sending unencrypted connections to the back-end server. This means that HaProxy is responsible for decrypting SSL connections – a time-consuming and CPU-intensive process compared to accepting non-SSL requests.

This is in contrast to SSL pass-through, which sends SSL connections directly to the proxy server.

2, SSL – Pass – Through

The SSL connection terminates on each proxy server, thus distributing the CPU load between these servers. However, there is no way to add or edit HTTP headers in this way, because the connection is simply routed to the proxy server through the load balancer. This means that the server server will not receive the X-Forwarded-* header, which may include the client’s IP address, port number, etc. Which strategy you choose depends on your application requirements. SSL Termination is the most typical use, but SSL-pass-through may be more secure.

Second, the SSL Termination

As mentioned above, we need haProxy to handle SSL connections. This means that the SSL certificate exists on the HaProxy server. The certificate is typically a PEM file, which is essentially just a certificate, containing the key of a file and an optional certificate authority. This is the preferred way for HAProxy to read SSL certificates.

To handle SSL connections in HAProxy, bind a port, such as 443, and let HAProxy know where the SSL certificate is:

Frontend ts_8799 bind 30.7.20.109:8799 SSL CRT /opt/ts/server-cert/haproxy/haproxy-cert.pem mode HTTP option httpclose default_backend b_def_ts_8799Copy the code

This configuration means that haProxy itself listens on port 8799. After receiving HTTPS requests, haProxy decrypts them according to the certificate in this configuration and forwards the decrypted requests to the backend

The back-end configuration is as follows:

backend b_def_ts_8799
    mode http
    balance roundrobin
    option tcpka
    stats hide-version
    option httpchk
    option httplog
    server controller1 30.7.20.111:28799 check inter 15s fastinter 15s downinter 15s rise 2 fall 4
Copy the code

In this case, the background server receives HTTP requests, and the data is not encrypted.

Three, SSL – Pass – Through

With SSL pass-through, you let the back-end server handle SSL connections instead of HaProxy. Haproxy’s job then is to proxy requests to its configured back-end servers. Because the connection is still encrypted, HAProxy cannot do anything to it except redirect the request to another server.

To pass through SSL connections directly in HAProxy, you need to use TCP mode in both front-end and back-end configurations. HAProxy treats the connection as a flow of information to the proxy server, rather than using its capabilities available for HTTP requests. Front-end configuration:

Frontend ts_8799 Bind 30.7.20.109:8799 mode TCP default_backend b_def_ts_8799Copy the code

As mentioned above, to pass the secure connection to the back-end server without encrypting it, we need to use mode TCP. This also means that you need to set logging to TCP instead of the default HTTP (Option TCplog). Back-end configuration:

Backend b_def_ts_8799 mode TCP balance roundrobin option tcpka stats hide-version server Controller1 30.7.20.111:28799 check inter 15s fastinter 15s downinter 15s rise 2 fall 4Copy the code

This setting is mode TCP – both front-end and back-end configurations need to be set to this mode. Of course, the backend server needs to support decrypting SSL.

Use both strategies

If the application needs to adopt both policies, that is, after the console sends the request to HaProxy, haProxy receives the request and performs SSL authentication. After haProxy sends the request to the background server, the background server receives the request and needs to perform SSL authentication again. This means that after decrypting haProxy, it needs to be encrypted again before it can be transmitted to the background server. Front-end configuration:

Frontend ts_8799 bind 30.7.20.109:8799 SSL CRT /opt/ts/server-cert/haproxy/haproxy-cert.pem mode HTTP option httpclose default_backend b_def_ts_8799Copy the code

The back-end configuration is as follows:

backend b_def_ts_8799
    mode http
    balance roundrobin
    option tcpka
    stats hide-version
    option httpchk
    option httplog
    server controller1 30.7.20.111:28799 check inter 15s fastinter 15s downinter 15s rise 2 fall 4 ca-file /opt/ts/server-ca/ca-cert.pem ssl verify required
Copy the code

After receiving a request, HaProxy decrypts the request using the certificate configured in Frontend and encrypts the request using the CA certificate configured in Backend before sending the request to the backend server.