 |
Title: Using haproxy for TLS layer |
|
Author: Solène |
|
Date: 07 March 2019 |
|
Tags: openbsd |
|
Description: |
|
|
|
This article explains how to use haproxy to add a TLS layer to any TCP |
|
protocol. This includes http or gopher. The following example explains |
|
the minimal setup required in order to make it work, haproxy has a lot |
|
of options and I won't use them. |
|
|
|
The idea is to let haproxy manage the TLS part and let your http server |
|
(or any daemon listening on TCP) replying within the wrapped |
|
connection. |
|
|
|
|
|
You need a simple haproxy.cfg which can looks like that: |
|
|
|
defaults |
|
mode tcp |
|
timeout client 50s |
|
timeout server 50s |
|
timeout connect 50s |
|
|
|
bind *:7000 ssl crt /etc/ssl/certificat.pem |
|
default_backend gopher |
|
|
|
server gopher 127.0.0.1:7070 check |
|
|
|
The idea is that it waits on port 7000 and will use the file |
|
**/etc/ssl/certificat.pem** as a certificate, and forward requests to |
|
the |
|
backend on 127.0.0.1:7070. **That is ALL**. If you want to do https, |
|
you need |
|
to listen on port 443 and redirect to your port 80. |
|
|
|
The PEM file is made from the privkey concatenated with the fullchain |
|
certificate. If you use a self signed certificate, you can make it with |
|
the |
|
following command: |
|
|
|
cat secret.key certificate.crt > cert.pem |
|
|
|
One can use a folder with PEM certificates files inside instead of |
|
using a |
|
file. This will allow haproxy to receive connections for ALL the |
|
certificates |
|
loaded. |
|
|
|
For more security, I recommend using the chroot feature and a dh file |
|
but it's |
|
out of the current topic. |
