Title: Using haproxy for TLS layer | |
Author: Solène | |
Date: 07 March 2019 | |
Tags: openbsd | |
Description: | |
This article explains how to use haproxy to add a TLS layer to any TCP | |
protocol. This includes http or gopher. The following example explains | |
the minimal setup required in order to make it work, haproxy has a lot | |
of options and I won't use them. | |
The idea is to let haproxy manage the TLS part and let your http server | |
(or any daemon listening on TCP) replying within the wrapped | |
connection. | |
You need a simple haproxy.cfg which can looks like that: | |
defaults | |
mode tcp | |
timeout client 50s | |
timeout server 50s | |
timeout connect 50s | |
bind *:7000 ssl crt /etc/ssl/certificat.pem | |
default_backend gopher | |
server gopher 127.0.0.1:7070 check | |
The idea is that it waits on port 7000 and will use the file | |
**/etc/ssl/certificat.pem** as a certificate, and forward requests to | |
the | |
backend on 127.0.0.1:7070. **That is ALL**. If you want to do https, | |
you need | |
to listen on port 443 and redirect to your port 80. | |
The PEM file is made from the privkey concatenated with the fullchain | |
certificate. If you use a self signed certificate, you can make it with | |
the | |
following command: | |
cat secret.key certificate.crt > cert.pem | |
One can use a folder with PEM certificates files inside instead of | |
using a | |
file. This will allow haproxy to receive connections for ALL the | |
certificates | |
loaded. | |
For more security, I recommend using the chroot feature and a dh file | |
but it's | |
out of the current topic. |