Use SSL Certificate for connection in HAProxy

Source: Internet
Author: User
Tags openssl x509 syslog ssl connection haproxy

Use SSL Certificate for connection in HAProxy

I. Environment Introduction

I was notified that the website should be changed from http to https. The current front-end architecture of my website is shown in:

Suppose we have two physical machines with many tomcat containers on each physical machine. The front end uses the http layer Load Balancing conducted by haproxy, And then we use LVS load balancing on the front end, the entire LVS uses the DR model.

At the beginning, I was about to change tomcat to https. When I set it to haproxy and then set it to haproxy, I found that haproxy could no longer use Server Load balancer, because SSL is on the fourth layer, so this solution is over. Next I will try to set SSL on the haproxy layer and use normal connections to the backend.

Ii. Setup steps

1. Overview

If your application uses an SSL certificate, you need to decide how to use them on the server Load balancer.

The simple configuration of a single server is usually to consider how the client SSL connection is decoded by the server that receives the request. As the Server Load balancer is located between the client and more servers, SSL connection decoding becomes the focus of attention.

2. There are two main strategies

The first is the selected mode. Set SSL in haproxy so that we can continue to use layer-7 Server Load balancer. The SSL connection ends at the Server Load balancer haproxy -----> decodes the SSL connection and sends unencrypted connections to the backend application tomcat. This means that the Server Load balancer is responsible for decoding the SSL connection, which is opposite to SSL penetration, it directly sends an SSL connection to the proxy server.

The second method uses SSL penetration. the SSL connection is terminated on each tomcat server and the CPU load is distributed to the tomcat server. However, this will make you lose the ability to add or modify the HTTP header, because the connection is simply routed from the Server Load balancer to the tomcat server, this means that the application server will lose the ability to obtain the X-Forwarded-* Header, which contains the Client IP address, port, and protocol used.

There are two combinations of policies, namely the third. The SSL connection is terminated at the Server Load balancer, adjusted as needed, and then acts as a new SSL connection proxy to the backend server. This may provide maximum security and the ability to send client information. The cost of doing so is more CPU power consumption and slightly more complicated configuration.

The policy you select depends on your needs and application requirements. The SSL terminal is the most typical policy I have ever seen, but SSL penetration may be safer.

3. Use HAProxy as the SSL Terminal

First, we will introduce the most typical solution-SSL terminal. As mentioned above, we need to have the Server Load balancer process SSL connections. This means placing the SSL certificate on the server Load balancer server.

Remember, using an SSL Certificate (rather than self-signed) in a production environment does not require you to generate or sign it yourself-you only need to create a Certificate Signature request (csr) and give it to the organization you bought the certificate from.

First, we create a self-signed certificate for demonstration and use the same certificate locally.

Openssl genrsa-out/etc/haproxy/wzlinux. key 2048
Openssl req-new-key/etc/haproxy/wzlinux. key-out/etc/haproxy/wzlinux. csr
> Country Name (2 letter code) [AU]: CN
> State or Province Name (full name) [Some-State]: Shanghai
> Locality Name (eg, city) []: Shanghai
> Organization Name (eg, company) [Internet Widgits Pty Ltd]: wzlinux
> Organizational Unit Name (eg, section) []:
> Common Name (e.g. server FQDN or YOUR name) []:
> Email Address []:
> Please enter the following 'extra 'attributes to be sent with your certificate request
> A challenge password []:
> An optional company name []:

Openssl x509-req-days 3655-in wzlinux. csr-signkey wzlinux. key-out wzlinux. crt

The wzlinux. csr, wzlinux. key, and wzlinux. crt files are generated.
Then, after creating the certificate, we need to create the pem file. In essence, the pem file only Concatenates the certificate, key, and certificate from the Certificate Authority (optional) into a file. In our example, we simply splice the certificate and key file in the same order to create the wzlinux. pem file. This is the preferred method for HAProxy to read SSL certificates.

Cat wzlinux. crt wzlinux. key | tee wzlinux. pem

When purchasing a real certificate, you may not necessarily obtain the spliced file. You can splice them yourself. However, many organizations will also provide you with a spliced file. If you have not obtained the spliced file, it may not be a pem file, but a bundle, cert, cert, key file, or file with the same concept but similar name.
In any case, as long as we get the pem file used by HAProxy, we only need to perform simple configuration to process the SSL connection.

Next we will configure haproxy to install the SSL certificate. The configuration file is as follows:
# Example configuration for a possible web application. See
# Full configuration options online.
# Http://
# Global settings
# To have these messages end up in/var/log/haproxy. log you will
# Need:
#1) configure syslog to accept network log events. This is done
# By adding the '-R' option to the SYSLOGD_OPTIONS in
#2) configure local2 events to go to the/var/log/haproxy. log
# File. A line like the following can be added
# Local2. */var/log/haproxy. log
Log local2 warning
Pidfile/var/run/haproxy. pid
Maxconn 400000
User haproxy
Group haproxy
Tune. ssl. default-dh-param 2048
# Nbproc 3
# Turn on stats unix socket
Stats socket/var/lib/haproxy/stats
# Common defaults that all the 'listen' and 'backend' sections will
# Use if not designated in their block
Mode http
Log global
Option httplog
Option dontlognull
Option http-server-close
Option forwardfor partition t
Option redispatch
Option httpclose
Retries 3
Timeout http-request 10 s
Timeout queue 1 m
Timeout connect 10 s
Timeout client 1 m
Timeout server 1 m
Timeout http-keep-alive 10 s
Timeout check 10 s
Stats enable
Stats hide-version
Stats uri/haproxy? Status
Stats realm Haproxy \ Statistics
Stats auth admin: asd870719
# Stats admin if TRUE
# Main frontend which proxys to the backends
# Frontend main *: 5000
# Acl url_static path_beg-I/static/images/javascript/stylesheets
# Acl url_static path_end-I. jpg. gif. png. css. js
# Use_backend static if url_static
# Default_backend app
Frontend wzlinux_ssl
Bind *: 80
Bind *: 443 ssl crt/etc/haproxy/wzlinux. pem
Mode http
Default_backend wzlinux
# Static backend for serving up images, stylesheets and such
# Backend static
# Balance roundrobin
# Server static 4331 check
Backend wzlinux
Mode http
Balance roundrobin
Option forwardfor
Option httpchk HEAD/HTTP/1.1 \ r \ nHost: localhost
Server wzlinux01 8080 check inter 15000 rise 2 fall 4
Server wzlinux02 8081 check inter 15000 rise 2 fall 4
Server wzlinux03 8082 check inter 15000 rise 2 fall 4
Server wzlinux04 8083 check inter 15000 rise 2 fall 4
Server wzlinux05 8084 check inter 15000 rise 2 fall 4
Server wzlinux06 8085 check inter 15000 rise 2 fall 4
Server wzlinux07 8086 check inter 15000 rise 2 fall 4
Http-request set-header X-Forwarded-Port % [dst_port]
Http-request add-header X-Forwarded-Proto https if {ssl_fc}

Because the SSL connection is terminated on the server Load balancer, we still send normal HTTP requests to the backend server.
Only Accept SSL connections
�� If you want your website to accept only SSL connections, you can add redirect orientation to the front-end Configuration:

123456 frontend wzlinux_ssl
Bind *: 80
Bind *: 443 ssl crt/etc/haproxy/wzlinux. pem
Redirect scheme https if! {Ssl_fc}
Mode http
Default_backend wzlinux

Above, we added redirect orientation. If the connection is not connected through SSL, It redirects http to https.
4. Use HAProxy to implement SSL penetration
With SSL penetration, we will allow the backend server to process SSL connections instead of Server Load balancer.

The Load balancer simply forwards requests to the configured backend server. Because the connection is still encrypted, HAProxy can only forward it to other servers, and other things cannot be done.
In this configuration, we need to use the TCP mode instead of the HTTP mode in both the frontend and backend configurations. HAProxy only forwards connections to other servers as information flows, instead of using the functions available on HTTP requests.
First, adjust the frontend Configuration:
123456 frontend wzlinux_ssl
Bind *: 80
Bind *: 443
Option tcplog
Mode tcp
Default_backend wzlinux

Port 80 and port 443 are bound at the same time to ensure normal HTTP connections and SSL connections can work.
As mentioned above, to forward a secure connection without decoding the server, we need to use the TCP mode (mode tcp ). This also means that we need to set tcp logs instead of the default http log (option tcplog ).
Next, we need to adjust the end configuration in the background. Note: we also need to change this to TCP mode and delete some ctives ves to avoid conflicts caused by modifying/adding the HTTP header function:
1234567891011 backend wzlinux
Mode tcp
Balance roundrobin
Option ssl-hello-chk
Server wzlinux01 8080 check inter 15000 rise 2 fall 4
Server wzlinux02 8081 check inter 15000 rise 2 fall 4
Server wzlinux03 8082 check inter 15000 rise 2 fall 4
Server wzlinux04 8083 check inter 15000 rise 2 fall 4
Server wzlinux05 8084 check inter 15000 rise 2 fall 4
Server wzlinux06 8085 check inter 15000 rise 2 fall 4
Server wzlinux07 8086 check inter 15000 rise 2 fall 4

As you can see, tcp-frontend and backend configurations must be set to this mode.
We also deleted option forwardfor and http-request options-these cannot be used in TCP mode, and we cannot add headers to encrypted requests, some of the previous default configurations are also deleted from the http configuration, which will not be demonstrated here.
To check whether the connection is correct, we can use ssl-hello-chk to check the connection and its ability to process SSL (especially SSLv3) connections.
In this example, I create two backend servers that accept the SSL certificate. If you have read the edition SSL certificates, you will see how to integrate them into Apache or Nginx to create a network server background to process SSL communication. You do not need to create or use an SSL Certificate for HAProxy. The backend servers can process SSL connections, just as if they only have one server and do not use a Server Load balancer.
I will not describe how to set up lvs distribution here. You can refer to my articles on LVS.

Haproxy + Keepalived build Weblogic high-availability server Load balancer Cluster

Keepalived + HAProxy configure high-availability Load Balancing

Haproxy + Keepalived + Apache configuration notes in CentOS 6.3

Haproxy + KeepAlived WEB Cluster on CentOS 6

Haproxy + Keepalived build high-availability Load Balancing

Configure an HTTP Load balancer using HAProxy

For details about HAproxy, click here
HAproxy: click here

This article permanently updates the link address:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.