Hello everyone, in this tutorial I’ll discuss about how to configure SSL termination over haproxy. at the preceding tutorial Configure Multiple Web server In Single IP I have discuss haproxy configuration with http website. But how if need to configure out website with https or ssl certificate ? ok let’s doing that.
in this tutorial I will continue configure in Configure Multiple Web server In Single IP so make sure you have successfull configure it.
For the testing, I want to server1 (webserver1) has running web with ssl certificate (https). and the first step create/genereate ssl certificate in the webserver1
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout webssl.key -out webssl.crt
Configure default-ssl.conf
change the SSLCertificateFile and SSLCertificateKeyFile to file that was create before
SSLCertificateFile /root/webssl.crt
SSLCertificateKeyFile /root/webssl.key
Enable site and reload for default-ssl.conf
# a2ensite default-ssl.conf
# service apache2 reload
Enable mod ssl
# a2enmod ssl
# service apache2 restart
Then, send the ssl certificate that has create on webserver1 to haproxy server using scp (Secure Copy Protocol). make sure between webserver1 and haproxy has been installed ssh.
root@web1:~# scp webssl.* nameuserhaproxy@IPHaproxyServer:/homedirectory
and then enter user password for haproxyuser
Look at the user home directory from haproxy server
Then merge webssl.cert and webssl.key files into one file .pem
Configuration haproxy so that the website1.web.id can be automatically run https when client access the website.
# nano /etc/haproxy/haproxy.cfg
add new script to frontend script as the following
bind *:443 ssl crt /etc/ssl/certs/webserver1.pem
reqadd X-Forwarded-Proto:\ https
and edit for backend WEB1 as the following
redirect scheme https if !{ ssl_fc }
server web1 10.0.0.2:80 check
Restart Haproxy service, make sure not have error for configure haproxy.
Add new dstnat for port 443 in R-Server
Test access website from client from the outsite network router
Configuration was successfull