Haproxy: SSL encrypted backend with self-signed cert

nginx ssl load-balancing haproxy
12,694

The question is not really linked to HAProxy, but to managing certs and certificate authorities in general.

Not sure which OS you're using, because you didn't state this, but if it's some Linux flavor (albeit the following applies to Debian and derivatives):

  • Make sure you've the package ca-certificates installed.

  • You're creating your certs using your own certificate authority (ca).

  • Take the your ca root cert of this ca and put it inside /usr/local/share/ca-certificates/name-of-your-ca/. (You might have to create the folder name-of-your-ca by yourself.) Ensure the your ca root cert has a .crt extension.

    (By default, /usr/local/share/ca-certificates/ is owned by root:staff, so use sudo or root to do this.)

  • Execute update-ca-certificates (via sudo / as root).

  • After execution, there should be a file /etc/ssl/cert/your-ca-root.pem symlinked to /usr/local/share/ca-certificates/name-of-your-ca/your-ca-root.crt.

  • Enable verification in HAProxy and profit.

Share:
12,694

Related videos on Youtube

Joe J
Author by

Joe J

Working with Django, Python, Linux, Mac

Updated on September 18, 2022

Comments

  • Joe J
    Joe J over 1 year

    I'm working to configure HAProxy such that it will terminate the SSL so there's only one place to configure the purchased SSL cert. However, I'd prefer that the connection to the backend servers also be encrypted with SSL.

    One suggestion I found is to create self-signed certs on the backend servers and then on each server line, set "verify none". ... So the connection from the browser to HAProxy would be using the official purchased SSL cert, but the connection to HAProxy to the backend servers would be using self-signed certs. The benefit of self-signed certs is that they are free, they don't require updates and maintenance (I can set the expiration far in the future and avoid having to install new ones each year). However, understandably, this opens the backends up for MITM attacks and isn't recommended by some sources that I've read.

    Can I configure HAProxy so that I can use self-signed certs on the backend servers, but perhaps somehow whitelist the self-signed certificate on the HAProxy server? ... so the HAProxy to backend connection would be encrypted, it would not be vulnerable to MITM attacks, and HAProxy would know to trust the self-signed certificate from the backend servers.

    Is what I'm describing possible? I'm new to HAProxy SSL termination, so any advice is appreciated.

    The relevant parts of my configuration are as follows: 

    frontend www-in
    bind *:80
    bind *:443 ssl crt /etc/ssl-keys/my-public-ssl-key.pem no-sslv3

    mode http
    default_backend https-backend
    # force redirect to https
    redirect scheme https if !{ ssl_fc }

backend https-backend
    balance leastconn
    server web1 1.1.1.1:443 check ssl verify none
    server web2 2.2.2.2:443 check ssl verify none

    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    • Michael - sqlbot
      Michael - sqlbot over 8 years
      I'll have to look this up, but in the back of my mind, I think you can lock down a back-end SSL connection to a single self-signed server cert by simply using the server's certificate on the proxy as the ca-file on the server config line. MITM would require the would-be attacker to have the matching private key (which would only be on the server, not the proxy), since no other cert would be accepted. I'll try to verify that.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Load balancing PHP web application with three servers
Is it possible to run HAProxy load balancer on Windows Server 2012 R2 Base for production?
HAProxy as TCP load balancer (SSL passthrough) not working?
HAProxy redirect traffic to NGINX getting error "The plain HTTP request was sent to HTTPS port"
haproxy as load-balancer and nginx as webserver?
HaProxy giving - 503 Service Unavailable
How to horizontally scale SSL termination behind HAProxy load balancing?
How many reverse proxies (nginx, haproxy) is too many?
Is it possible to use multiple load balancers to redirect traffic to my application servers?
Should Nginx be at the front of HAProxy or opposite?