Nash's world

HAPROXY SSL TERMINATION

by on Nov.12, 2017, under Uncategorized

working haproxy config for terminating multiple ssl domains and routing to backend based on sni tags

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
 

 

#---------------------------------------------------------------------

<h1>Global settings</h1>

#---------------------------------------------------------------------
global
daemon
chroot /var/lib/haproxy #jail
pidfile /var/run/haproxy.pid #pid file path
maxconn 4000 #maxconn
user haproxy #set the user
group haproxy # set the group
log 127.0.0.1 local2 #set the logging facilities
stats socket /var/lib/haproxy/stats #set stats socket for cli debug

<h1>SSL Settings @ https://www.ssllabs.com/ssltest</h1>

tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS

&nbsp;

defaults
mode http #defualt mode
log global #default log as per global
option dontlognull #dont log empty
retries 3 #no of attempts to re establish connection to the server
timeout http-request 10s #http request timeout first byte
timeout queue 1m #max time to spend in queue before timing out
timeout connect 10s #time out for receving first byte
timeout client 1m #clinet timeout
timeout server 1m #server timesout
timeout http-keep-alive 10s #how long to keep alive the conn
timeout check 5s #how often to probe the servers
option redispatch #redespatch failed conns

&nbsp;

<h1>The public 'www' address in the DMZ</h1>

frontend ssl-tsl
bind :::443 v4v6 ssl crt /path/to/crt/dir #set port and ip to listen on both ipv4 and v6 set ssl crt dir path
option forwardfor #add x-forwarded for header

&nbsp;

#check the host header (FQDN) of the incomming request and send it to the matching backend
acl D1 ssl_fc_sni_end -i domain1.fqdn #CHANGE
acl D2 ssl_fc_sni_end -i domain2.fqdn #CHANGE
use_backend backendone if D1
use_backend backendtwo if D2
#if their is no match send all request here
default_backend D1

&nbsp;

#stats page
frontend stats
bind *:8081
stats enable # Enable stats page
stats hide-version # Hide HAProxy version
stats realm Haproxy\ Statistics # Title text for popup window
stats uri /haproxy_stats

&nbsp;

#backends
backend domain1
http-request set-header Host domain1.fqdn #add the hostheader #CHANGE THIS
http-request add-header X-Forwarded-Proto https if { ssl_fc } #tell the server this was a https

&nbsp;

#Update a X-Forwarded-For header to add the client IP at the beginning of the list:
acl h_xff_exists req.hdr(X-Forwarded-For) -m found
http-request replace-header X-Forwarded-For (.*) %[src],1 if h_xff_exists

#the backend server name ip:port check if server responds ever 5 mins max connection to server 10000
server domain1server 10.0.0.1:80 check inter 300 maxconn 10000#change port

backend domain2
http-request set-header Host domain2.fqdn #add the hostheader #CHANGE THIS
http-request add-header X-Forwarded-Proto https if { ssl_fc } #tell the server this was a https

&nbsp;

#Update a X-Forwarded-For header to add the client IP at the beginning of the list:
acl h_xff_exists req.hdr(X-Forwarded-For) -m found
http-request replace-header X-Forwarded-For (.*) %[src],1 if h_xff_exists

#the backend server name ip:port check if server responds ever 5 mins max connection to server 10000
server domain2server 19.0.0.2:80 check inter 300 maxconn 10000

Leave a Reply

*

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Blogroll

A few highly recommended websites...

IDL

Member of The Internet Defense League