HOWTO SSL native in HAProxy

IMPORTANT NOTE: this article has been outdated since HAProxy-1.5-dev12 has been released (10th of September). For more information about SSL inside HAProxy. please read:

Synopsis

Since yesterday night (FR time), HAProxy can support SSL offloading. It can even crypt traffic to a downstream server.

We’ll see later all the fun we could have with these nice features and the goodness it could bring in term of architecture. Today, I’ll just focus on how to install and configure HAProxy to offload SSL processing from your servers.

It’s important to notice that in order to be able to manage SSL connections, a huge rework of connection management has been done in HAProxy. Despite the long time spent on testing, there might still remain some bugs.

So we ask anybody who tests the procedure below to report bugs to HAProxy mailing list.

Note as well that the job was done by HAProxy Technologies engineers, who already improved stunnel and stud.

SSL offloading diagram

This is pretty simple, as shown on the picture below. The client will get connected on HAProxy using SSL, HAProxy will process SSL and get connected in clear to the server:



HAproxy installation

cd /usr/src wget http://haproxy.1wt.eu/download/1.5/src/snapshot/haproxy-ss-20120905.tar.gz tar xzf haproxy-ss-20120905.tar.gz cd haproxy-ss-20120905/ make TARGET=linux2628 USE_STATIC_PCRE=1 USE_OPENSSL=1 sudo make PREFIX=/opt/haproxy-ssl install

HAProxy configuration for SSL offloading

-----BEGIN CERTIFICATE----- MIIBrzCCARgCCQCfMsCGwq31yzANBgkqhkiG9w0BAQUFADAcMRowGAYDVQQDExF3 d3cuZXhjZWxpYW5jZS5mcjAeFw0xMjA5MDQwODU3MzNaFw0xMzA5MDQwODU3MzNa MBwxGjAYBgNVBAMTEXd3dy5leGNlbGlhbmNlLmZyMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQDFxSTUwX5RD4AL2Ya5t5PAaNjcwPa3Km40uaPKSHlU8AMydxC1 wB4L0k3Ms9uh98R+kIJS+TxdfDaYxk/GdDYI1CMm4TM+BLHGAVA2DeNf2hBhBRKb TAgxCxXwORJQSB/B+1r0/ZiQ2ig5Jzr8xGHz+tBsHYZ+t+RmjZPQFjnlewIDAQAB MA0GCSqGSIb3DQEBBQUAA4GBABqVuloGWHReSGLY1yAs20uhJ3j/9SvtoueyFBag z5jX4BNO/4yhpKEpCGmzYtjr7us3v/s0mKoIVvAgah778rCZW3kF1Y6xR6TYqZna 1ryKB50/MJg9PC4LNL+sAu+WSslOf6+6Ru5N3JjhIZST8edJsGDi6/5HTKoqyvkp wOMn -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDFxSTUwX5RD4AL2Ya5t5PAaNjcwPa3Km40uaPKSHlU8AMydxC1 wB4L0k3Ms9uh98R+kIJS+TxdfDaYxk/GdDYI1CMm4TM+BLHGAVA2DeNf2hBhBRKb TAgxCxXwORJQSB/B+1r0/ZiQ2ig5Jzr8xGHz+tBsHYZ+t+RmjZPQFjnlewIDAQAB AoGBALUeVhuuVLOB4X94qGSe1eZpXunUol2esy0AMhtIAi4iXJsz5Y69sgabg/qL YQJVOZO7Xk8EyB7JaerB+z9BIFWbZwS9HirqR/sKjjbhu/rAQDgjVWw2Y9sjPhEr CEAvqmQskT4mY+RW4qz2k8pe4HKq8NAFwbe8iNP7AySP3K4BAkEA4ZPBagtlJzrU 7Tw4BvQJhBmvNYEFviMScipHBlpwzfW+79xvZhTxtsSBHAM9KLbqO33VmJ3C/L/t xukW8SO6ewJBAOBxU0TfS0EzcRQJ4sn78G6hTjjLwJM2q4xuSwLQDVaWwtXDI6HE jb7HePaGBGnOrlXxEOFQZCVdDaLhX0zcEQECQQDHcvc+phioGRKPOAFp1HhdfsA2 FIBZX3U90DfAXFMFKFXMiyFMJxSZPyHQ/OQkjaaJN3eWW1c+Vw0MJKgOSkLlAkEA h8xpqoFEgkXCxHIa00VpuzZEIt89PJVWhJhzMFd7yolbh4UTeRx4+xasHNUHtJFG MF+0a+99OJIt3wBn7hQ1AQJACScT3p6zJ4llm59xTPeOYpSXyllR4GMilsGIRNzT RGYxcvqR775RkAgE+5DHmAkswX7TBaxcO6+C1+LJEwFRxw== -----END RSA PRIVATE KEY-----

First of all, you have to generate a key and a certificate usingand concatenate them in a file, thefirst, then theHere is mine, just copy/paste it in a file for your tests:

Now, HAProxy configuration, very basic, for test purpose, and just to let you know which lines are very important:

frontend ft_test mode http bind 0.0.0.0:8443 ssl crt ./haproxy.pem # basic conf require only 1 keyword # other (self described) options are: [ciphers <suite>] [nosslv3] [notlsv1] default_backend bk_test backend bk_test mode http server srv1 127.0.0.1:80

Running HAProxy

/opt/haproxy-ssl/sbin/haproxy -c -f ./ha.cfg [WARNING] 247/110924 (6497) : config : missing timeouts for frontend 'ft_test'. | While not properly invalid, you will certainly encounter various problems | with such a configuration. To fix this, please ensure that all following | timeouts are set to a non-zero value: 'client', 'connect', 'server'. [WARNING] 247/110924 (6497) : config : missing timeouts for backend 'bk_test'. | While not properly invalid, you will certainly encounter various problems | with such a configuration. To fix this, please ensure that all following | timeouts are set to a non-zero value: 'client', 'connect', 'server'. Configuration file is valid

First, just test the configuration is valid:

Don’t worry about warnings, I purposely wrote a very basic configuration.

Now, you can run HAProxy:

/opt/haproxy-ssl/sbin/haproxy -f ./ha.cfg

Testing SSL provided by HAProxy

curl --noproxy * -D - --insecure https://127.0.0.1:8443/index.html HTTP/1.1 200 OK Date: Tue, 04 Sep 2012 09:13:55 GMT Server: Apache/2.2.16 (Debian) Last-Modified: Tue, 04 Sep 2012 09:10:01 GMT ETag: "a35d1-e-4c8dc9f7d6c40" Accept-Ranges: bytes Content-Length: 14 Vary: Accept-Encoding Content-Type: text/html Welcome page.

Use, with “–insecure” option if your certificate is self-signed, like mine:

Check SSL parameters with openssl in client mode:

openssl s_client -connect 127.0.0.1:8443 CONNECTED(00000003) depth=0 /CN=www.exceliance.fr verify error:num=18:self signed certificate verify return:1 depth=0 /CN=www.exceliance.fr verify return:1 --- Certificate chain 0 s:/CN=www.exceliance.fr i:/CN=www.exceliance.fr --- Server certificate -----BEGIN CERTIFICATE----- MIIBrzCCARgCCQCfMsCGwq31yzANBgkqhkiG9w0BAQUFADAcMRowGAYDVQQDExF3 d3cuZXhjZWxpYW5jZS5mcjAeFw0xMjA5MDQwODU3MzNaFw0xMzA5MDQwODU3MzNa MBwxGjAYBgNVBAMTEXd3dy5leGNlbGlhbmNlLmZyMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQDFxSTUwX5RD4AL2Ya5t5PAaNjcwPa3Km40uaPKSHlU8AMydxC1 wB4L0k3Ms9uh98R+kIJS+TxdfDaYxk/GdDYI1CMm4TM+BLHGAVA2DeNf2hBhBRKb TAgxCxXwORJQSB/B+1r0/ZiQ2ig5Jzr8xGHz+tBsHYZ+t+RmjZPQFjnlewIDAQAB MA0GCSqGSIb3DQEBBQUAA4GBABqVuloGWHReSGLY1yAs20uhJ3j/9SvtoueyFBag z5jX4BNO/4yhpKEpCGmzYtjr7us3v/s0mKoIVvAgah778rCZW3kF1Y6xR6TYqZna 1ryKB50/MJg9PC4LNL+sAu+WSslOf6+6Ru5N3JjhIZST8edJsGDi6/5HTKoqyvkp wOMn -----END CERTIFICATE----- subject=/CN=www.exceliance.fr issuer=/CN=www.exceliance.fr --- No client certificate CA names sent --- SSL handshake has read 604 bytes and written 319 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: CF9B7BFF64DE0B332CE9A76896EC1C59C941340D6913612286113FA1F7E09E88 Session-ID-ctx: Master-Key: C6893078E49626DAF329C61774BA5A35E0264818E0D76542F25BB958584B835154402E02F9B722DD94C56B14EBB14D46 Key-Arg : None Start Time: 1346750742 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- GET / HTTP/1.0 HTTP/1.1 200 OK Date: Tue, 04 Sep 2012 09:26:44 GMT Server: Apache/2.2.16 (Debian) Last-Modified: Tue, 04 Sep 2012 09:10:01 GMT ETag: "a35d1-e-4c8dc9f7d6c40" Accept-Ranges: bytes Content-Length: 14 Vary: Accept-Encoding Connection: close Content-Type: text/html Welcome page. closed

Related articles

Links