How to implement SSL passthrough in HAProxy

Maintaining web server load balancing is one of the key measures to prevent downtime. Using a load balancer is a reliable approach, with HAProxy being a highly regarded choice. Using HAProxy, you can accurately configure the load balancing method and support SSL passthrough to ensure the security of communication between the client and the server.

First discusses the importance of implementing SSL passthrough in HAProxy, followed by a detailed discussion of the steps required to implement this feature, and an example is provided for better understanding.

What is SSL pass? Why is it important?

As a load balancer, HAProxy accepts and distributes the load flowing to your web servers, distributing it among the configured servers. The load is distributed across traffic shared between client devices and backend servers. In the process of load balancing, security is crucial, and SSL is the key to ensuring security.

Ideally, SSL passthrough involves forwarding SSL/TLS traffic to your web server and distributing it to configured servers without terminating SSL/TLS at HAProxy or any other load balancer you are using connect. With SSL Passthrough, you'll enjoy better end-to-end encryption, and the client's original IP address will be preserved. Additionally, this is a recommended security measure that creates better backend server flexibility and reduces HAProxy overload.

A step-by-step guide on how to implement SSL tunneling in HAProxy

After understanding the concept of SSL passthrough and its necessity, the next step is to implement it on the HAProxy load balancer by following the prescribed steps. Follow the instructions to quickly enable SSL passthrough on your HAProxy load balancer.

Step 1: Install HAProxy

Assuming you do not have HAProxy installed. The first step is to install it before we configure it for SSL passthrough. So start by updating the repository.

$sudo apt update

Next, install HAProxy from the default repository using the following command. Note that we use Ubuntu to handle this situation:

$sudo apt install haproxy

Once you have HAProxy installed, you can achieve SSL passthrough. Read on!

Step 2: Implement SSL passthrough in HAProxy

For this step, we must access the HAProxy configuration file located in "/etc/haproxy" and edit it to specify how we want to achieve SSL passthrough. You can open the configuration file using any text editor. We used Nano in this demo.

$sudo nano/etc/haproxy/haproxy,cfg

Once you access the configuration file, there are two sections you must create: "Frontend" and "Backend". In the "Front End" you can specify which port to bind to connect to. Likewise, you must specify which protocol to use and which backend server to use to distribute the traffic.

In this case, since we want to protect the traffic, we will bind port 443 for HTTPS connections. Likewise, we specify the TCP modes in which we wish to accept HAProxy operating at the transport layer.

We also added the "tcp_request" line as a rule to specify the duration of checking SSL "hello" messages to verify that we are accepting SSL traffic. Finally, we specify the backend servers for load distribution. Our final "frontend" part looks like this:

For the "Backend" part, we set the mode to TCP. We then specify the IP address of the server used for load balancing. Make sure you replace these IPs to match your live server's IP and set the connection port to 443.

Add "option tcplog" to allow logging of tcp-related issues in a log file contained in the "global" section of the configuration file.

Step 3: Restart HAProxy and test the configuration

After editing the HAProxy configuration file, save it and exit. Restart the HAProxy service to apply the changes.

that's all! We implemented SSL passthrough in HAProxy. Try sending a stream of traffic to your web server using a command like curl and see how it responds. If SSL passthrough is implemented successfully, you will get an output showing that the connection was established through port 443, and you will be connected to the backend server. Your server will respond with the required details and give a 200 status response.

in conclusion

Implementing SSL passthrough helps create end-to-end encryption and ensures that SSL/TLS connections are maintained when load balancing occurs. To implement SSL passthrough in HAProxy, install HAProxy and edit the configuration file to specify how load balancing occurs. Please refer to this example to better understand the process.

The above is the detailed content of How to implement SSL passthrough in HAProxy. For more information, please follow other related articles on the PHP Chinese website!