Using haproxy for TLS layer

Author: Solène

Date: 07 March 2019

Tags: openbsd

NILThis article explains how to use haproxy to add a TLS layer to any TCP

protocol. This includes http or gopher. The following example explains

the minimal setup required in order to make it work, haproxy has a lot

of options and I won't use them.

The idea is to let haproxy manage the TLS part and let your http server

(or any daemon listening on TCP) replying within the wrapped connection.

You need a simple haproxy.cfg which can looks like that:

defaults

mode tcp

timeout client 50s

timeout server 50s

timeout connect 50s

frontend haproxy

bind *:7000 ssl crt /etc/ssl/certificat.pem

default_backend gopher

backend gopher

server gopher 127.0.0.1:7070 check

The idea is that it waits on port 7000 and will use the file

**/etc/ssl/certificat.pem** as a certificate, and forward requests to the

backend on 127.0.0.1:7070. **That is ALL**. If you want to do https, you need

to listen on port 443 and redirect to your port 80.

The PEM file is made from the privkey concatenated with the fullchain

certificate. If you use a self signed certificate, you can make it with the

following command:

cat secret.key certificate.crt > cert.pem

One can use a folder with PEM certificates files inside instead of using a

file. This will allow haproxy to receive connections for ALL the certificates

loaded.

For more security, I recommend using the chroot feature and a dh file but it's

out of the current topic.