4x Affordable, 99.95% SLA, 24x& Video Support, 100+ Countires

Implement Ssl Termination With Haproxy On Ubuntu 14 04


HAProxy, which stands for High convenience Proxy, is a well-kown ajar source program TCP/HTTP Load acrobat and proxying success which can be run on linux, Solaris, and FreeBSD. Its most communal use is to enhance the performance and reliability of a server environment by giving the workload across aggregate servers (e.g. web, application, database). It is used in many high-profile environments, including: GitHub, Imgur, Instagram, and sound.

In this tutorial, we will go over how to use HAProxy for SSL termination, for traffic encryption, and for load balancing your web servers. We will also show you how to use HAProxy to redirect HTTP traffic to HTTPS.

Native SSL aid was implemented in HAProxy 1.5.x, which was released as a stable model in June 2014.


To finish this tutorial, you must have or obtain the following:

  • At least one web server, with private networking, listening on HTTP (port 80)
  • set accesses to a more VPS on which we will install HAProxy. instructions to set up set accesses can be found here (levels 3 and 4): first Server Setup with Ubuntu 14.04.
  • a ssl certificate and private key set with a "common name" that matches your domain name or IP address

If you do not already have a ssl certificate and private key set, please obtain one before continuing. Here are a few sessions that include stages that cover creating SSL certificates:

Creating a Combined PEM SSL Certificate/Key File

To implement SSL termination with HAProxy, we must ensure that your SSL certificate and key set is in the proper format, PEM. In most cases, you can simply combine your SSL certificate (.crt or .emotion file given by a certificate dominance) and its individual private key (.key file, generated by you). Assuming your certificate file is labelled instance.com.crt, and your private key file is labelled instance.com.key, here is an instance of how to combine the records:

cat example.com.crt example.com.key > instance.com.pem
sudo cp example.com.pem /etc/ssl/private/

This creates the combined PEM file, labelled instance.com.pem and copies it to /etc/ssl/private. As always, be sure to obtain any copies of your private key file, including the PEM file (which contains the private key).

In some cases, you may need to copy your CA set certificate and CA intermediate certificates into your PEM file.

Our Starting Environment

Here is the environment that we are commencing with:

Web Server on HTTP

If your environment differs from the instance, like if you are already using SSL on the web server or you have an apart database server, you should be able to adapt this tutorial to work with your environment.

If you are unfamiliar with basic load-balancing ideas or word, like place 7 load balancing or backends or ACLs, here is an article that explains the fact Synonyms/Hypernyms: an introduction to HAProxy and Load Balancing ideas.

Our Goal

By the end of this tutorial, we want to have an environment that looks like this:

HAProxy SSL Termination

That is, your users will accesses your website by connecting to your HAProxy server via HTTPS, which will decrypt the SSL session and forward the unencrypted questions to your web servers (i.e. the servers in www-backend) via their private network interfaces on port 80. Your web servers will then send their responses to your HAProxy server, which will encrypt the responses and send them back to the user that made the genuine question.

You can set up your www-backend with as many web servers as you want, as long as they serve same communication. In other words, you can set this up with a solo server then scale it out later by increasing as many servers as you want. Remember, as your traffic increases, your HAProxy server may become a performance narrowing if it does not have enough system resources to handle your user traffic.

Note: This tutorial does not cover how to ensure that your web/application servers serve the same communication because that is often application or web server babelike.

Install HAProxy 1.6.x

Create a brand-new VPS with private networking. For this tutorial, we will call it haproxy-www, but you may call it whatever you want.

In our haproxy-www VPS, add the dedicated PPA to apt-get:

sudo add-apt-repository ppa:vbernat/haproxy-1.6

Then modify your inclined cache:

sudo apt-get update

Then install HAProxy 1.6 with apt-get with the following control:

sudo apt-get install haproxy

Now that HAProxy 1.6 is installed, let's configure it!

HAProxy Configuration

HAProxy's configuration file is located at /etc/haproxy/haproxy.cfg and is divided into two leading parts:

  • intercontinental: sets process-wide parameters
  • Proxies: consists of failures, listen, frontend, and backend portions

Again, if you are unfamiliar with HAProxy or basic load-balancing ideas and word, please refer to this link: an introduction to HAProxy and Load Balancing ideas.

HAProxy Configuration: intercontinental

All of the HAProxy configuration should be done on your HAProxy VPS, haproxy-www.

ajar haproxy.cfg in an editor:

sudo vi /etc/haproxy/haproxy.cfg

You will see that there are two portions already defined: international and failures.

The first action you will want to do is set maxconn to a reasonable number. This setting affects how many synchronous connections HAProxy will allow, which can affect QoS and prevent your web servers from crashing from striving to serve too many questions. You will need to play around with it to find what works for your environment. Add the following line (with an ideal you think is reasonable) to the international portion of the configuration

   maxconn 2048

Add this line, to configure the limit size of acting DHE keys that are generated:

   tune.ssl.default-dh-param 2048

Next, in the failures part, add the following lines under the line that says method http:

   option forwardfor
   option http-server-close

The forwardfor action sets HAProxy to add X-Forwarded-For headers to each ask, and the http-server-close action reduces latency between HAProxy and your users by closing connections but maintaining keep-alives.

HAProxy Configuration: Stats

Using HAProxy stats can be helpful in determining how HAProxy is handling incoming traffic. If you would like to enable the HAProxy stats page, add the following lines in the failures part (equivalent user and password with obtain belief Synonyms/Hypernyms):

   stats enable
   stats uri /stats
   stats realm Haproxy\ Statistics
   stats auth user:password

This will allow you to look at the HAProxy stats page by going to your domain on /stats (e.g. https://instance.com/stats).

Do not close the config file yet! We will add the proxy configuration next.

HAProxy Configuration: Proxies

Frontend Configuration

The first action we want to add is a frontend to handle incoming HTTP connections. At the end of the file, let's add a frontend labelled www-http. Be sure to replace haproxy_www_public_IP with the public IP of your haproxy-www VPS:

frontend www-http
   bind haproxy_www_public_IP:80
   reqadd X-Forwarded-Proto:\ http
   default_backend www-backend

Here is an explanation of what each line in the frontend config piece above means:

  • frontend www-http: specifies a frontend labelled "www-http"
  • bind haproxy_www_public_IP:80: replace haproxy_www_public_IP with haproxy-www's public IP address. This tells HAProxy that this frontend will handle the incoming network traffic on this IP address and port 80 (HTTP)
  • reqadd X-Forwarded-Proto:\ http: Adds http header to end of end of the HTTP ask
  • default_backend www-backend: this specifies that any traffic that this frontend receives will be forwarded to www-backend, which we will be in a following stride

Next, we will add a frontend to handle incoming HTTPS connections. At the end of the file, let's add a frontend labelled www-https. Be sure to replace haproxy_www_public_IP with the public IP of your haproxy-www VPS:

frontend www-https
   bind haproxy_www_public_IP:443 ssl crt /etc/ssl/private/instance.com.pem
   reqadd X-Forwarded-Proto:\ https
   default_backend www-backend
  • frontend www-https: specifies a frontend labelled "www-https"
  • bind haproxy_www_public_IP:443 ssl crt ...: replace haproxy_www_public_IP with haproxy-www's public IP address, and instance.com.pem with your SSL certificate and key set in combined pem format. This tells HAProxy that this frontend will handle the incoming network traffic on this IP address and port 443 (HTTPS).
  • reqadd X-Forwarded-Proto:\ https: Adds https header to end of end of the HTTPS ask
  • default_backend www-backend: this specifies that any traffic that this frontend receives will be forwarded to www-backend, which we will be in a following stride

Backend Configuration

After you are completed configuring the frontends, continue increasing your backend by increasing the following lines. Be sure to replace the highlighted words with the individual private IP addresses of your web servers:

backend www-backend
   redirect scheme https if !{ ssl_fc }
   server www-1 www_1_private_IP:80 check
   server www-2 www_2_private_IP:80 check

Here is an explanation of what each line in the backend config piece above means:

  • backend www-backend: specifies a backend labelled www-backend
  • redirect scheme https if !{ ssl_fc }: this line redirects HTTP asks to HTTPS, which makes your site HTTPS-only. If you want to allow both HTTP and HTTPS, remove this line
  • server www-1 ...: specifies a backend server labelled www-1, the private IP (which you must equivalent) and port that it is listening on, 80. The check action makes the load acrobat periodically perform a health check on this server
  • server www-2 ...: akin to the preceding line. Add more lines like this, with befitting names and IP addresses to add more servers to the load acrobat

Now save and exit haproxy.cfg. HAProxy is now prepared to be commenced , but let's enable logging first.

Enable HAProxy Logging

Enabling logging in HAProxy is very uncomplicated. First edit the rsyslog.conf file:

sudo vi /etc/rsyslog.conf

Then find the following two lines, and uncomment them to enable UDP syslog reception. It should look like the following when you are done:

$ModLoad imudp
$UDPServerRun 514

Now restart rsyslog to enable the brand-new configuration:

sudo service rsyslog restart

HAProxy logging is is now enabled! The log file will be created at /var/log/haproxy.log once HAProxy is began .

Start HAProxy

On haproxy-www, commence HAProxy to put your configuration actions into effect:

sudo service haproxy restart

HAProxy is now performing SSL termination and load balancing your web servers! Your load balanced server is now accessible to your user via the public IP address or domain name of your load acrobat, haproxy-www! There are a few things that you will want to check, to make sure everything is set up correctly.

Things to Check

  • If you haven't already, modify your nameservers to point your domain to your haproxy-www server's public IP address
  • If you want your servers to use only HTTPS, you will want to make sure that your web servers (e.g. www-1, www-2, etc.) are only listening on their private IP addresses on port 80. Otherwise, users will be able to accesses your web servers via HTTP (unencrypted) on their public IP addresses.
  • drop by haproxy-www via HTTPS and ensure that it works
  • drop by haproxy-www via HTTP and ensure that it redirects to HTTPS (unless you configured it to allow both HTTP and HTTPS)

Note: If you're using an application that needs to know its own url, like WordPress, you need to action your url setting from "http" to https". To follow the WordPress example, you would go to your WordPress General Settings, then action the WordPress Address (url) and the Site Address (url) from "http" to "https".


Now you have a load acrobat success that handles your SSL connections and can be used to horizontally scale out your server environment. Feel free to combine what you have learned in this govern with other HAProxy leads to upgrade your environment even further!

Reference: digitalocean