HAProxy is a suitable service for very high-traffic websites and is therefore often used to improve web service reliability and performance for multi-server configurations.
To install SSL on HAProxy, please refer to the instructions below: (note: the file locations may vary according to the settings on your server)
1. Prepare SSL certificate file
- You will get the file private key When SSL activation is sent to your email, usually the file format will be: www_domain_.key
- When you download the SSL certificate file that has completed the authentication, you will receive the following files, you will use 2 files as shown in the image below:
Next, you put in 3 files www_domain.key, www_domain.pem, Chain_RootCA_Bundle.crt Go to the server and type the following command to create the file pem used to install HAProxy.
cat www_tên_miền.pem Chain_RootCA_Bundle.crt www_tên_miền.key > certificate.pem
2. Check if HAProxy has SSL support
Please run the following command to check the version HAProxy:
If the returned result has the following information, it means HAProxy SSL supported:
HA-Proxy version 1.6.3 2015/12/25 [...] Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes
Otherwise, if you see the following output, then you need to rebuild HAProxy with SSL support.
HA-Proxy version 1.6.3 2015/12/25 [...] Built with OpenSSL version : not set
3. Configure SSL for HAProxy
Open HAProxy configuration file /etc/haproxy/haproxy.cfg and re-edit: (Note the path may be different from your server)
frontend http_front bind *:80 stats uri /haproxy?stats default_backend http_back frontend https_front bind *:443 ssl crt /etc/ssl/certificate.pem #Đường dẫn tới tập tin pem đã tạo ở bước 1. reqadd X-Forwarded-Proto: https backend http_back balance roundrobin server Server1 <private IP>:80 check server Server2 <private IP>:80 check
After the configuration is complete, run the following command to check the configuration file:
haproxy -check -f /etc/haproxy/haproxy.cfg
After successful configuration test, please restart HAProxy for the configuration to take effect.
service haproxy restart
Note: This is just a reference for installing SSL on HAProxy, the settings may be different from yours, please check and replace to avoid errors.
Turn a bug into a feature to exploit it!!!