Managing certificates for HAProxy
CSR and private key generation
To generate a private key and a CSR, you can either use our tool, Keybot, allowing you to generate directly a pem file, or another tool like Openssl.SSL/TLS installation and configuration
This configuration is only valid for HAProxy starting at version 1.5 as it is HaProxy's first version with a native SSL/TLS support. Most of these features requires that HAProxy has been configured with openssl support.To install a certificate on HAProxy, you need to use a pem file, containing your private key, your X509 certificate and its certificate chain. To do so, it might be necessary to concatenate your files, i.e.:
#In case of separate certificate and chain files : cat exemple.com.key exemple.com.crt exemple.com-chain.txt > haproxy.pem
#In case of a certificate file also containing the chain: cat exemple.com.key exemple.com-with-chain.pem > haproxy.pemThen, place the file in your HAProxy file (generally /etc/haproxy/).
To configure you HAProxy instance optimally,with maximum security and compatibility, we recommend the following parameters :
global ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12 ssl-default-bind-ciphers !EDH:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!aNULL:!eNULL tune.ssl.default-dh-param 2048 frontend http-in mode http option httplog option forwardfor option http-server-close option httpclose bind YOURIP:80 redirect scheme https code 301 if !{ ssl_fc } frontend https-in option httplog option forwardfor option http-server-close option httpclose rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains rspadd X-Frame-Option:\ DENY bind YOURIP:443 ssl crt /etc/haproxy/haproxy.pem ciphers !EDH:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!aNULL:!eNULL force-tlsv12 no-sslv3The following sections will be concerning various security recommendations.
Using a strong Diffie-Hellman group
To counter threats using DHE exchanges (Logjam for instance), you need to set a maximal group size, using the parameter tune.ssh.default-dh-param. We recommend at least 2048bits. The default value for this parameter is 1024, which is dangerously low. If your pem certificate file contains DH parameters, then this value will be ignored. You need to add this line to your global section:tune.ssl.default-dh-param 2048
Using HSTS to enforce data encryption
To best protect your users, you need to enable HTTPS encryption in most cases, that's why the HTTP Strict Transport Security norm was created. To enable it, add the following lines to the corresponding configuration sections:frontend http-in redirect scheme https code 301 if !{ ssl_fc } frontend https-in rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
See also
Last edited on 09/06/2017 08:23:07 --- [search]