Saturday, 12 September 2015

How to configure HA Proxy Load Balancer for HTTPS connections by SSL forwarding and without using SSL termination?

Here I'm showing how to configure ha proxy for https connection. How ever, this is not showing ssl termination at load balancer end. Here the load balancer will listen for https connections on port 443 and forward them to web01 and web02 servers to 443 port.

Pre-requisite is that you need to install SSL certificates on web01 and web02 servers.
If you are using cPanel server like me, you can generate the ssl certificate on web01 server and install it there.Then copy paste the private key, cert and ca bundle on web02 server to install it there too.

172.10.0.3 - ha proxy server ip
172.10.0.4 - web01 server ip
172.10.0.5 - web02 server ip

The /etc/haproxy/haproxy.cfg is given below:

global
        log 127.0.0.1   local0
        log 127.0.0.1   local1 debug
        maxconn   45000 # Total Max Connections. This is dependent on ulimit
        daemon
        nbproc      2 # Number of processing cores. Dual Dual-core Opteron is 4 cores for example.
defaults
        timeout server 86400000
        timeout connect 86400000
        timeout client 86400000
        timeout queue   1000s

# Configuration for HTTP site
frontend http-in
        bind 172.10.0.3:80
        acl is_admin url_beg /wp-admin
        use_backend admin_backend if is_admin

        acl is_admin2 url_end /wp-admin
        use_backend admin_backend if is_admin2

        default_backend webservers
        mode tcp

frontend https-in ###HTTPS configuration for SSL at Load Balancer end###
    bind 172.10.0.3:443
    reqadd X-Forwarded-Proto:\ https
    default_backend httpswebservers

backend webservers
        mode http      
        balance roundrobin  # Load Balancing algorithm
option forwardfor
        server web01 172.10.0.4:80 weight 1 maxconn 2000 check
        server web02 172.10.0.5:80 weight 1 maxconn 2000 check

backend httpswebservers ###HTTPS forwarding to web servers###
    mode tcp
    balance roundrobin
    option ssl-hello-chk
    server web01 172.10.0.4:443 check
    server web02 172.10.0.5:443 check

backend admin_backend
        mode http
        balance roundrobin  # Load Balancing algorithm
option forwardfor
        server web01 172.10.0.4:80 weight 1 maxconn 2000 check

# Configuration for HAProxy Stats
listen stats :1900
    mode http
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /
    stats auth haproxy:yourcomplexpassword

No comments:

Post a Comment