Sharing Ilmu

Sharing for useful things

How To Configure Haproxy with SSL/TLS Termination (Https Webserver over Haproxy)

Hello everyone, in this tutorial I’ll discuss about how to configure SSL termination over haproxy. at the preceding tutorial Configure Multiple Web server In Single IP I have discuss haproxy configuration with http website. But how if need to configure out website with https or ssl certificate ? ok let’s doing that.

in this tutorial I will continue configure in  Configure Multiple Web server In Single IP  so make sure you have successfull configure it.

For the testing,  I want to server1 (webserver1) has running web with ssl certificate (https). and the first step create/genereate ssl certificate in the webserver1

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout webssl.key -out webssl.crt

Configure default-ssl.conf

change the SSLCertificateFile and SSLCertificateKeyFile to file that was create before

SSLCertificateFile          /root/webssl.crt

SSLCertificateKeyFile  /root/webssl.key

Enable site and reload for default-ssl.conf

# a2ensite default-ssl.conf

# service apache2 reload

Enable mod ssl

# a2enmod ssl

# service apache2 restart

Then, send the ssl certificate that has create on webserver1 to haproxy server using scp (Secure Copy Protocol).  make sure between webserver1 and haproxy has been installed ssh.

root@web1:~#  scp webssl.* nameuserhaproxy@IPHaproxyServer:/homedirectory

and then enter user password for haproxyuser

Look at the user home directory from haproxy server

Then merge webssl.cert and webssl.key files into one file .pem

Configuration haproxy so that the website1.web.id can be automatically run https when client access the website.

#  nano /etc/haproxy/haproxy.cfg

add new script to frontend script as the following

bind *:443 ssl crt /etc/ssl/certs/webserver1.pem

reqadd X-Forwarded-Proto:\ https

and edit for backend WEB1 as the following

redirect scheme https if !{ ssl_fc }

server web1 10.0.0.2:80 check

 

 

 

 

 

 

 

 

 

 

 

 

 

Restart Haproxy service, make sure not have error for configure haproxy.

Add new dstnat for port 443 in R-Server

Test access website from client from the outsite network router

Configuration was successfull

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>