Home > Others

Haproxy-1.5.x SSL Configuration

Source: Internet
Author: User
Tags haproxy
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

The haproxy-1.4 version agent is always used, and SSL configuration is not supported, the haproxy-1.5 version is supported, so the version is updated for testing. You can use the original Apache SSL Certificate file for simple processing on haproyx.
Originally intended to use haproxy-1.4 penetration, but to back-end servers to configure SSL, so configured on the Haproyx-1.5, SSL terminal CA authentication. From: http://koumm.blog.51cto.com

1. Install 
# yum install pcre-devel openssl-devel -y # tar zxvf haproxy-1.5.3.tar.gz # cd haproxy-1.5.3 # make TARGET=linux26 USE_STATIC_PCRE=1 USE_REGPARM=1 USE_LINUX_TPROXY=1 USE_OPENSSL=1 USE_ZLIB=1 ARCH=x86_64 # make install PREFIX=/usr/local/haproxy # cd /usr/local/haproxy # mkdir conf

 

2. Prepare the PEM Certificate file

The Apache ssl ca authentication configuration file has been configured before. The CER file and the key file. The PEM file combines the first two files for use.

# Cat my-server.cer my-server.key | tee my-server.pem

-----BEGIN CERTIFICATE----- MIID3zCCA0igAwIBAgIPBwACIBQBFAAAAAACFUN1MA0GCSqGSIb3DQEBBQUAMIIB JDENMAsGA1UEBh4EAEMATjEbMBkGA1UECB4SAEcAdQBhAG4AZwBkAG8AbgBnMRsw GQYDVQQHHhIARwB1AGEAbgBnAHoAaABvAHUxPTA7BgNVBAoeNABHAEQAQwBBACAA QwBlAHIAdABpAGYAaQBjAGEAdABlACAAQQB1AHQAaABvAHIAaQB0AHkxRzBFBgNV BAsePgBHAHUAYQBuAGcAZABvAG4AZwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAg AEEAdQB0AGgAbwByAGkAdAB5MVEwTwYDVQQDHkgARwBEAEMAQQAgAEcAdQBhAG4A ZwBkAG8AbgBnACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAQQB1AHQAaABvAHIA aQB0AHkwHhcNMTQwMTEzMTYwMDAwWhcNMTkwMTMwMTYwMDAwWjCBrjENMAsGA1UE Bh4EAEMATjEPMA0GA1UECB4GbXdTV3cBMQ8wDQYDVQQHHgZtd1PjXgIxKTAnBgNV BAoeIG0LbWZ+z21OXwBT0VM6e6F0BlnUVFhPGk/hYG9OLV/DMSkwJwYDVQQLHiBt C21mfs9tTl8AU9FTOm0LbWZZJ1OmADEANAAwADFbpDElMCMGA1UEAx4cADEAOQAy AC4AMQA2ADgALgAyADMAMAAuADgANTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEAz6XQgc/UBi/LtJh1BXTGxAyuWZY0nfkzPlv8cf2bRCMKadnM+iJ9PKv8mnpU TgKe6+c5zjqy+sTk6KEYVMMROY4InrykZY/7tA+dk+lqECU+fQ+bNAzLh5yPp6Ni 2KzeG1V6/tF9t7syz8UWy6Bxgvdg3gu+M9vcpZUaD3NjsnECAwEAAaOBhTCBgjAf BgNVHSMEGDAWgBR3QwkQ9xWLOrAR0kx7B5QE8BRURjAdBgNVHQ4EFgQUUN8BHs4A rNrjCV9uSaeMw0/Fw/8wCwYDVR0PBAQDAgQwMBYGBSpWCwcBBA0xC4AJMjAxNDAx MTQxMBsGBSpWFQEDBBIwMDcxMTIwMTQwMTE0Njg2NDkwDQYJKoZIhvcNAQEFBQAD gYEAeKrIQ0u1cmgUz8qwW07VF1s6q+fKJf6OJnRDWshsG7ZRSJH2rZx7oohpZQJk DUpLOGbvplXGFgyXCeQYyJSiStis0Ef6Jr1Y3iOjIrn7zASCu9EjuUSCreyF7w8c 4e4At2IMrUUTo+UZAiYRfqfMKpP7gYUY0LNmq2AEDbU4Fb0= -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDPpdCBz9QGL8u0mHUFdMbEDK5ZljSd+TM+W/xx/ZtEIwpp2cz6 In08q/yaelROAp7r5znOOrL6xOTooRhUwxE5jgievKRlj/u0D52T6WoQJT59D5s0 DMuHnI+no2LYrN4bVXr+0X23uzLPxRbLoHGC92DeC74z29yllRoPc2OycQIDAQAB AoGBALIBDiZJ+BM5o+H0E9USj1X/HPM1fXOy7gfWKSm64wBdHY8yI7KGIGADe68d kOmy+3N1K6urzESGx0jY2JfJBRiKR3QW+fEL5UBhj/PC5Nj9OMxwEK0WqYlfhivx EpPycuwKhDN7aYcGJIK/J38j4Q8G383wDev1Sl9beLRoqs+FAkEA+LtkdOVU8hfa Xx44Tl6PxsY25LWunjuoUu6KZOWLvsAJK+CGV91oZAJk+QwXIZj8tDjPAGrcvHMM cENwrvFWuwJBANW3GKsHELMTzJumKUXlSPDlU5xGn7H2PQOc+FaYuinK6K94E55t E7MN6Oe+1avOTLYlRVsv2klPUkK1DlrOxsMCQBEFmgFZ9G9A7KPXyJisZgB/biBG wrV3dbR/OJ9hCig6siX7jpYSw+McOtbEWgzlkF2xCZGIvqRy5yYDp4GBaKMCQQDQ 0F+X7AVTE8tdYZL+KjOEvG1fSloKpg+jkiHLatqqrwl/ORHiP615y+N/W6Smg6HM bso/eJgN/STg7MsjytnFAkAVwZMhaoIWIocbyoA3eUQVIrUDynDMq27TDFwltvaL ihOkwBYuzDujgOBLwY+pLg6SqphDhgP92OCg+VVqty02 -----END RSA PRIVATE KEY-----

 

3. Create a configuration file 
# vi /usr/local/haproxy/conf/haproxy.cfg global log 127.0.0.1 local0 maxconn 65535 chroot /usr/local/haproxy uid 99 gid 99 stats socket /usr/local/haproxy/HaproxSocket level admin daemon nbproc 1 pidfile /usr/local/haproxy/haproxy.pid #debug tune.ssl.default-dh-param 2048defaults log 127.0.0.1 local3 mode http option httplog option httplog clf option httpclose option dontlognull option forwardfor option redispatch retries 2 maxconn 2000 balance source #balance roundrobin stats uri /haproxy-stats stats refresh 10s timeout client 60s timeout connect 9s timeout server 30s timeout check 5slisten TEST_APP_Cluster bind *:80 mode http option httpchk GET /test.html HTTP/1.0\r\nHost:192.168.10.180 server node01 192.168.0.100:100 weight 3 check inter 2000 rise 2 fall 1 server node02 192.168.0.101:100 weight 3 backup check inter 2000 rise 2 fall 1listen TEST_APP_SSL bind *:443 ssl crt /usr/local/haproxy/conf/my-server.pem reqadd X-Forwarded-Proto:\ https mode http option httpchk GET /test.html HTTP/1.0\r\nHost:192.168.10.180 server node01 192.168.0.100:100 weight 3 check inter 2000 rise 2 fall 1 server node02 192.168.0.101:100 weight 3 backup check inter 2000 rise 2 fall 1listen stats_auth 0.0.0.0:91 stats enable stats uri /admin stats realm "HA_CONSOLE" stats auth admin:123456 stats hide-version stats refresh 10s stats admin if TRUE

Start port

650) This. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-Right: 0px; "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201408/13/703525_1407942708gjes.png "Height =" 119 "/>

 

4. Configuration highlights

Because the certificate length is 2048, an error is reported in the default configuration file. SSL. after the default-DH-Param 2048 parameter, the problem is solved. certificates in the PEM format can also implement SSL functions through haproxy-1.4 + Stunnel.

This article is from the "koumm Linux technology blog" blog, please be sure to keep this source http://koumm.blog.51cto.com/703525/1539692

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
sonicwall ssl vpn configuration magento ssl configuration haproxy ssl cisco asa ssl vpn configuration haproxy configuration example haproxy configuration guide spring boot ssl configuration sample

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More