Haproxy: SSL encrypted backend with self-signed cert
The question is not really linked to HAProxy
, but to managing certs and certificate authorities in general.
Not sure which OS you're using, because you didn't state this, but if it's some Linux flavor (albeit the following applies to Debian
and derivatives):
-
Make sure you've the package
ca-certificates
installed. -
You're creating your certs using your own certificate authority (ca).
-
Take the
your ca root cert
of this ca and put it inside/usr/local/share/ca-certificates/name-of-your-ca/
. (You might have to create the foldername-of-your-ca
by yourself.) Ensure theyour ca root cert
has a.crt
extension.(By default,
/usr/local/share/ca-certificates/
is owned byroot:staff
, so usesudo
orroot
to do this.) -
Execute
update-ca-certificates
(viasudo
/ asroot
). -
After execution, there should be a file
/etc/ssl/cert/your-ca-root.pem
symlinked to/usr/local/share/ca-certificates/name-of-your-ca/your-ca-root.crt
. -
Enable verification in
HAProxy
and profit.
Related videos on Youtube
Comments
-
Joe J over 1 year
I'm working to configure HAProxy such that it will terminate the SSL so there's only one place to configure the purchased SSL cert. However, I'd prefer that the connection to the backend servers also be encrypted with SSL.
One suggestion I found is to create self-signed certs on the backend servers and then on each server line, set "verify none". ... So the connection from the browser to HAProxy would be using the official purchased SSL cert, but the connection to HAProxy to the backend servers would be using self-signed certs. The benefit of self-signed certs is that they are free, they don't require updates and maintenance (I can set the expiration far in the future and avoid having to install new ones each year). However, understandably, this opens the backends up for MITM attacks and isn't recommended by some sources that I've read.
Can I configure HAProxy so that I can use self-signed certs on the backend servers, but perhaps somehow whitelist the self-signed certificate on the HAProxy server? ... so the HAProxy to backend connection would be encrypted, it would not be vulnerable to MITM attacks, and HAProxy would know to trust the self-signed certificate from the backend servers.
Is what I'm describing possible? I'm new to HAProxy SSL termination, so any advice is appreciated.
The relevant parts of my configuration are as follows:
frontend www-in bind *:80 bind *:443 ssl crt /etc/ssl-keys/my-public-ssl-key.pem no-sslv3 mode http default_backend https-backend # force redirect to https redirect scheme https if !{ ssl_fc } backend https-backend balance leastconn server web1 1.1.1.1:443 check ssl verify none server web2 2.2.2.2:443 check ssl verify none http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc }
-
Michael - sqlbot over 8 yearsI'll have to look this up, but in the back of my mind, I think you can lock down a back-end SSL connection to a single self-signed server cert by simply using the server's certificate on the proxy as the
ca-file
on theserver
config line. MITM would require the would-be attacker to have the matching private key (which would only be on the server, not the proxy), since no other cert would be accepted. I'll try to verify that.
-