How to Configure an SSL Certificate in HAProxy

How to Configure an SSL Certificate in HAProxy

HAProxy, a high-performance TCP/HTTP load balancer, supports SSL termination, which means it can handle SSL encryption and decryption tasks, reducing the load on backend servers.

This article will show you how to configure an SSL certificate in HAProxy, including, generating a CSR (Certificate Signing Request) code, obtaining a commercial SSL certificate, combining the cert with the private key, and configuring HAProxy to use it. So let’s get started!


Table of Contents

  1. Generate a CSR Code for Your SSL Certificate
  2. Get a Commercial SSL Certificate for HAProxy
  3. Merge the Certificate and the Private Key
  4. Configure the PEM SSL Certificate in HAProxy

Generate a CSR Code for Your SSL Certificate

Before the Certificate Authority can issue the SSL certificate, it needs the CSR code from you to validate your contact credentials. The CSR is a small encoded text block with relevant details about your website and company. You must generate and submit it during SSL enrolment.

Here’s how to do it:

  1. Open a Terminal: Access the command line interface on your server.
  2. Run the OpenSSL Command: Use the following OpenSSL command to generate a CSR and a private key. Replace mydomain with your actual domain name.

    openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr
  3. Enter the Required Information: You will be prompted to enter details such as:
    • Country Name (2-letter code, e.g. US)
    • State or Province Name (e.g., California)
    • Locality Name (e.g., San Jose)
    • Organization Name (e.g., GPI Holding)
    • Organizational Unit Name (e.g.,IT)
    • Common Name (e.g., yourdomain.com)
    • Email Address
  4. Save the CSR and Private Key: The command will generate two files: mydomain.csr (the CSR) and mydomain.key (the private key). Keep the private key secure as it will be needed later.

Get a Commercial SSL Certificate for HAProxy

Commercial SSL certificates are trusted by all browsers and operational systems. As a result, your websites or apps won’t face annoying SSL connection errors. For a production environment, such certificates are a must. If you’re using HAProxy for testing purposes, you can generate a self-signing cert, but in this article, we’ll focus on HAProxy SSL configuration for live environments.

To obtain a commercial SSL certificate, follow these steps:

  1. Choose a Certificate Authority (CA): Select a reputable CA like DigiCert, Comodo, or GeoTrust.
  2. Select the Certificate Type: Choose the type of SSL certificate that suits your needs, such as a single-domain, wildcard, or multi-domain (SAN) certificate.
  3. Submit the CSR: Provide the CSR to the CA so they can issue a certificate that matches your server’s private key.
  4. Buy the Certificate: Get your SSL certificate from a reliable SSL reseller like SSL Dragon for the best price and customer support.
  5. Validation Process: Depending on the type of certificate, you will undergo a domain validation, organization validation, or extended validation process.
  6. Receive the Certificate: After validation, the CA will issue the SSL files archived in a ZIP folder.

Merge the Certificate and the Private Key

Once you receive your SSL certificate from the CA, you need to combine it with your private key to create a single file that HAProxy can use.

  1. Prepare the Files: Ensure you have the following files:
    • Your domain’s SSL certificate (e.g., mydomain.crt)
    • The private key generated earlier (mydomain.key)
    • Any intermediate certificates provided by the CA (e.g., intermediate.crt). Usually, the CA sends the intermediates in a CA Bundle file.
  2. Combine the Files: This command combines the certificate, intermediate certificate, and private key into a single PEM file.

    cat mydomain.crt intermediate.crt mydomain.key > /etc/haproxy/mydomain.pem

Configure the PEM SSL Certificate in HAProxy

Now that you have the PEM file, you can configure HAProxy to use the SSL certificate.

Step 1: Upload the PEM Certificate to the HAProxy Server:

Use the scp command to upload the PEM certificate file to the HAProxy server (replace sysadmin and haproxy_server_ip with the remote server username and IP address respectively):

scp mydomain.pem sysadmin@haproxy_server_ip:/home/sysadmin/

Step 2: Create a directory for the Certificate

Create a directory where the certificate PEM file will be stored:

sudo mkdir -p /etc/ssl/mydomain/
sudo cp mydomain.pem /etc/ssl/mydomain/

Step 3: Edit the HAProxy Configuration File

Open the HAProxy configuration file (by default located at /etc/haproxy/haproxy.cfg) in a text editor like Notepad.

Step 4: Configure Frontend Section

Modify the frontend section to enable SSL termination and redirect HTTP traffic to HTTPS:

frontend http_frontend
mode http
bind *:80
bind *:443 ssl crt /etc/ssl/mydomain/mydomain.pem alpn h2,http/1.1
redirect scheme https code 301 if !{ ssl_fc }
default_backend http_servers

Step 5: Add SSL/TLS Parameters

To ensure the use of modern and secure SSL/TLS versions, add the ssl-min-ver parameter:

bind *:443 ssl crt /etc/ssl/mydomain/mydomain.pem alpn h2,http/1.1 ssl-min-ver TLSv1.2

This directive supports HTTP/2 and HTTP/1.1 protocols and enforces a minimum TLS version of 1.2 for secure connections.

Step 6: Configure Backend Section

Ensure your backend servers are correctly defined.

backend http_servers
mode http
balance roundrobin
server server1 :80 check
server server2 :80 check

Step 7: Restart HAProxy

Apply the changes by restarting the HAProxy service:

sudo systemctl restart haproxy

Step 8: Test your SSL Configuration

To test your HAProxy SSL configuration, use SSL Labs, and enter your domain name. The tool will provide a comprehensive report on your SSL/TLS setup, including the certificate details and any potential issues.


Conclusion

In summary, learning how to configure an SSL certificate in HAProxy is essential for securing your web applications and ensuring reliable communication between clients and servers. By correctly setting up your HAProxy SSL configuration, you can protect sensitive data and enhance overall security. Following these guidelines helps to implement robust encryption and ensures that your website operates securely over HTTPS, providing a safer experience for your users.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

Experienced content writer specializing in SSL Certificates. Transforming intricate cybersecurity topics into clear, engaging content. Contribute to improving digital security through impactful narratives.