HAProxy SSL termination allows us to quickly and easily enable SSL/TLS encryption for our applications. All questions, no matter how small, are answered by Bobcares as part of our Server Management Service.

HAProxy SSL termination

We can encrypt and decrypt traffic using the high-performance SSL termination offered by the HAProxy load balancer. Using HAProxy SSL termination, we can quickly and easily enable SSL/TLS encryption for our applications. HAProxy is built with OpenSSL, enabling it to encrypt and decrypt traffic as it moves through the system.

The Advantages of SSL Termination

Maintaining SSL certificates can be a laborious task when we run a farm of servers. It may be necessary to make our web servers directly accessible from the Internet so that Let’s Encrypt servers can verify that we own your domain if we don’t have the ability to dynamically update DNS records as part of the certificate renewal process. This presents a challenge even when using a Let’s Encrypt Certbot to automatically update certificates.

Our web servers must use more CPU time to encrypt and decrypt messages when SSL is enabled, which increases CPU usage costs. If not, that CPU time could have been used for more productive tasks. If web servers aren’t also processing encryption algorithms at the same time, they can process requests more quickly.

The phrase SSL termination refers to the fact that all encryption and decryption is being done at the network’s edge, such as the load balancer. The load balancer removes the encryption and sends the messages to your servers unencrypted. This may also be referred to as SSL offloading.

Benefits

SSL termination has a lot of advantages. They consist of the following:

1. Our work will be simpler because we can maintain certificates in fewer locations.
2. For certificate renewal purposes, we don’t need to make our servers accessible over the Internet.
3. Processing of encrypted messages is relieved from servers, freeing up CPU time.

SSL activation through HAProxy

With the introduction of HAProxy version 1.5 in 2016, SSL encryption and decryption could now be handled without the use of additional programs like Stunnel or Pound. Add the ssl and crt parameters to a bind line in the frontend section of our HAProxy configuration file to turn it on.

This listener’s SSL termination is enabled by the ssl parameter. The PEM-formatted SSL certificate’s location is specified by the crt parameter. Both the private key and the public certificate should be included in this certificate. That completes activating this feature. Once traffic has been decrypted, HAProxy can inspect it, change HTTP headers, route based on the Host or URL path, and read cookies. Additionally, the messages are sent to the backend servers without any encryption.

If we prefer to re-encrypt the data before relaying it, we can do so by adding an ssl parameter to our server lines in the backend section, though doing so negates some of the advantages of SSL termination.

HAProxy will check whether it trusts the SSL certificate of the server when it negotiates the connection with it. By adding verify none to the server line, we can choose not to verify the server’s certificate if it was signed by a private certificate authority. Alternatively, we can store the CA certificate on the load balancer and refer to it using the ca-file parameter.

HTTP to HTTPS redirection

More often than not, when someone types our domain name into their address bar, https:// won’t be present. They will then be directed to our website’s http:// version. We can also reroute any traffic that is received at HTTP port 80 to HTTPS port 443 when we use HAProxy for SSL termination.

The ssl_fc fetch method, which returns true unless the connection using SSL/TLS, is checked in this line using the unless keyword. The request is forwarded to the https scheme if it wasn’t used. Now, HTTPS will be the default for all traffic. As a result, it will be possible to add an HSTS header, which instructs a user’s browser to use HTTPS right away the next time they visit our website.

Limiting SSL Versions Supported

Older SSL and TLS versions are designated as deprecated and should no longer be used as vulnerabilities are found in them. With HAProxy, we can restrict the types of SSL that can be negotiated. To specify the earliest version we want to support, add the ssl-min-ver directive to a frontend.

These days, this parameter can take one of the following values: SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3. By including it in our global section as an ssl-default-bind-options directive, we can set this for all proxies.

Restricting the Certificates Supported

By including a cipher parameter to the bind line, we can set the encryption ciphers that we’ll use in addition to the permitted SSL and TLS versions. The list is arranged in preferred order with fallback algorithms at the end.

Unless the prefer-client-ciphers parameter is present, in which case the client’s preferred cipher is chosen, HAProxy will choose the first cipher that the client also supports. When determining which ciphers to include, take into account using the Mozilla SSL Configuration Generator. By including an ssl-default-bind-ciphers directive in our global section, we can also set a default value.

Selecting the SNI Certificate

A TLS extension called Server Name Indication (SNI) enables the browser to include the hostname of the website it is attempting to access in the TLS handshake data. This enables us to dynamically select the certificate to serve.

Choose a directory that contains numerous PEM files as the value for the crt parameter rather than the path to a single certificate file. By looking for a matching common name or subject alternative name, HAProxy will identify the proper one.

In the absence of SNI data from the client, HAProxy uses the first file in the directory that is arranged alphabetically. It is wise to name the PEM files such that the default certificate appears first.

The acceptance of EC and RSA certificates

Elliptic Curve (EC) and RSA certificates are both supported by HAProxy. It will use the one that the client accepts. Store both certificates on the load balancer server. But give one a name that ends in .rsa and the other a name that ends in .ecdsa to enable this.

[Looking for a solution to another query? We are just a click away.]

Conclusion

In conclusion, our Support team provided instructions for enabling SSL termination with HAProxy. Having HAProxy handle encryption and decryption has a number of advantages. It includes lessening the load on our backend servers and simplifying certificate maintenance. Also prevents the direct Internet exposure of our servers for certificate renewal.