HOW TO SETUP SSL-HTTPS ON HAPROXY LOAD_BALANCER
This tutorial / guide will help you understand how you can setup a ssl-https termination on HAproxy load balancer for security protection on web server. HA Proxy is a widely used and opensource HTTP load balancer and proxying solution It’s used to enhance the performance and reliability of web servers by distributing the workload across multiple servers. By so doing, it provides high availability of services and applications.
Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client — typically a web server (website) and a browser, or a mail server and a mail client (e.g., Outlook). It is more widely known than TLS, or Transport Layer Security, the successor technology of SSL.
SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text — leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server, they can see and use that information.
More specifically, SSL is a security protocol. Protocols describe how algorithms should be used. In this case, the SSL protocol determines variables of the encryption for both the link and the data being transmitted.
Hypertext Transfer Protocol Secure (https)
If you see https, the session between the web server and the browser on the mobile device you are using is encrypted. You can easily identify web servers that have https configured by looking at the Uniform Resource Locator (URL) in the web address bar of your browser.
Hypertext Transfer Protocol Secure (https) is a combination of the Hypertext Transfer Protocol (HTTP) with the Secure Socket Layer (SSL)/Transport Layer Security (TLS) protocol. TLS is an authentication and security protocol widely implemented in browsers and Web servers. SSL works by using a public key to encrypt data transferred over the SSL connection. Most Web browsers support SSL. It allows you to communicate securely with the web server.
SSL Termination
The incoming traffic that goes through the load balancer is in plain text and is, therefore, insecure and prone to eavesdropping by nefarious third parties. HAProxy can be configured to encrypt the traffic it receives before distributing it across the multiple backend servers. This is a preferred approach as opposed to encrypting individual backend servers which can be a tedious process This is where SSL termination comes in. The HAProxy encrypts the traffic between itself and the client and then relays the messages in clear text to the backend servers in your internal network. It then encrypts the response from the backend servers and relays them to the clients. The TLS/SSL certificates are stored only on the HAProxy load balancer rather than the multiple backend servers, thus reducing the workload on the servers.
Certbot
Certbot is usually meant to be used to switch an existing HTTP site to work in HTTPS (and, afterward, to continue renewing the site’s HTTPS certificates whenever necessary). Some Certbot documentation assumes or recommends that you have a working web site that can already be accessed using HTTP on port 80.
Step 1) Install Certbot
- To obtain an SSL/TL certificate from Let’s Encrypt Authority, you first need to install certbot. Certbot is free and opensource software that is used for automating the deployment of Let’s Encrypt SSL certificates on websites.
- To install certbot login into the HAProxy server and, first, update the local package index:
$ sudo apt update$ sudo apt install -y certbot python3-certbot-nginxStep 2) Obtaining SSL Certificate
- Let’s Encrypt provides a number of ways to obtain SSL Certificates using various plugins. Most of the plugins only assist in obtaining the certificate which requires manual configuration of the web server. These plugins are called ‘authenticators’ because they merely check whether the server should be issued a certificate.
- As such, you need to ensure that no service is listening on port 80. To check which services are listening on port 80, run the command.
$ netstat -na | grep ':80.*LISTEN'$ sudo systemctl stop haproxy$ sudo certbot certonly --standalone -d www.your-domain_name.tech --non-interactive --agree-tos --email example@gmail.com
/etc/letsencrypt/archives directory, but certbot creates a symbolic link to the /etc/letsencrypt/live/your_domain_name path.- Once the certificate has been obtained, you will have the following files in the
/etc/letsencrypt/live/your_domain_namedirectory. - cert.pem — This is your domain’s certificate.
- chain.pem — This is Let’s Encrypt chain certificate.
- fullchain.pem — Contains a combination of cert.pem and chain.pem
- privkey.pem — The private key to your certificate.
Step 3) Configure HAProxy to use SSL Certificate
- For HAProxy to carry out SSL Termination — so that it encrypts web traffic between itself and the clients or end users — you must combine the
fullchain.pemandprivkey.pemfile into one file. - But before you do so, create a directory where all the files will be placed.
$ sudo mkdir -p /etc/haproxy/certs$ DOMAIN='www.your-domain_name.tech' sudo -E bash -c 'cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/haproxy/certs/$DOMAIN.pem'$ sudo chmod -R go-rwx /etc/haproxy/certs$ sudo vim /etc/haproxy/haproxy.cfgIn the frontend section add an entry that binds your server’s IP to port 443 followed by the path to the combined key.bind haproxy-ip:443 ssl crt /etc/haproxy/certs/domain.pemTo enforce redirection from HTTP to HTTPS, add the following entry.redirect scheme https if !{ ssl_fc }
$ sudo haproxy -f /etc/haproxy/haproxy.cfg -cTo apply the changes made, restart HAProxy.$ sudo systemctl restart haproxyAnd ensure that it is running.$ sudo systemctl status haproxyFinally go to your browser and refresh your domain.
