I'm trying to connect to 2 backend servers over https using port 443, and I want to find a way to send the key & cert files to the servers in the backend. My haproxy.cfg is:
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096
#chroot /usr/share/haproxy
user haproxy
group haproxy
daemon
#debug
#quiet
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000
listen stats :8000
#mode http
stats enable
stats realm Haproxy\ Statistics
stats uri /
stats auth admin:password
listen ssl-relay :80
mode tcp
balance roundrobin
stick-table type ip size 200m expire 30m
stick on src
server server01 www.example.com:443 check inter 2000 fall 3
server server02 www.example.com:443 check inter 2000 fall 3
How can we make the communication between haproxy server and back-end server secure???
Best Answer
Will your clients be using https://myfakepage.com:80 as the url? If not then what you are doing is largely pointless. You are working on an unencrypted connection to the front-end and then an encrypted connection to the backend. The problem is that when the connection goes back to the client, it will be unencrypted so you're not buying yourself anything. If your clients will be using https://pmyfakepage.com:80 then there's nothing to do because haproxy will already be acting as a pass-through for the https traffic.
Are you trying to do SSL termination on the load balancer, if so you're doing it backwards
Your bind secion would look something like
but as dtorgo stated, ssl termination in this manner only works on 1.5 and above. Another option if you find stunnel too slow is stud.
Hope this clears things up for ya.