Tutorial to Configure SSL in an HAProxy Load Balancer
Hi. In this tutorial you will get to know how to implement HTTPS in your servers by using a free certificate from Certbot and implementing it in your Load Balancer with HAProxy.
I work with Ubuntu 16.04 LTS servers, where my-lb is the load balancer name and web-a and web-b are the web servers, using Nginx open source software. The subdomain www is pointing to my-lb as well as the @ domain name, and is only this subdomain I want to receive HTTPS requests in my webstack.
Install certbot
In this page introduce your server configuration to get the exact install instructions. Mine were like this:
sudo apt-get update
sudo apt-get install snapd
sudo apt-get remove certbot
sudo snap install — classic certbot
sudo certbot certonly — standalone
export LC_ALL=”en_US.UTF-8"
export LC_CTYPE=”en_US.UTF-8"Check port 80 is free
Once this is done, run netstat -plnt and check whether some program is listening to port 80. This is important because with certbot you will ask for a free SSL certificate and the request will happen over that port, and only one program can liste to a port at a time. So we need to free it up.
As you can see, port 80 is being listen here. So make sure to you stop whatever program is doing it with sudo service httpd stop, where httpd may be or not replaced by the program listening to it.
Request for a free SSL certificate
Now you’re entering to the encrypted side of internet!
sudo certbot certonly --standaloneIf everything is all right, you should see a message like this. Certbot asks you to indicate what domain you wish to certificate. In my case, it is only the subdomain www that will be certificated since it is where I will get all my HTTPS requests so as to get a TLS termination proxy or SSL termination.
We are almost done. The private key must be appended to the certificate to complete the requirements. You may want to do:
sudo cat /etc/private/key/path.pem | sudo tee -a /etc/certificate/fullchain/path.pem Cat your fullchain certificate and make sure after the END OF CERTIFICATE you have the BEGIN PRIVATE KEY.
Configure the HAProxy Load Balancer to listen to port 443
The HAProxy config file is generally the /etc/haproxy/haprocy.cfg. There, you should have it configured with backend, frontend or listen parameters, where the redirection to web-a and web-b servers is set with a given load balancer algorithm. In the frontend parameter, set the bind *:443 ssl crt /path/to/the/fullchain/certificate.pem
You are assigning the certificate to your 443 port with which you’ll give response to the HTTPS request made to your server.
Before celebrating, don’t forget to sudo service haproxy start !
Testing
From any terminal, use the curl command with an https request to your certificated domain/subdomain and you should have the return from your expected html page.
