Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Managing certificates for HAProxy

CSR and private key generation

To generate a private key and a CSR, you can either use our tool, Keybot, allowing you to generate directly a pem file, or another tool like Openssl.

SSL/TLS installation and configuration

This configuration is only valid for HAProxy starting at version 1.5 as it is HaProxy's first version with a native SSL/TLS support. Most of these features requires that HAProxy has been configured with openssl support.

To install a certificate on HAProxy, you need to use a pem file, containing your private key, your X509 certificate and its certificate chain. To do so, it might be necessary to concatenate your files, i.e.:
#In case of separate certificate and chain files :
cat exemple.com.key exemple.com.crt exemple.com-chain.txt > haproxy.pem
#In case of a certificate file also containing the chain:
cat exemple.com.key exemple.com-with-chain.pem > haproxy.pem
Then, place the file in your HAProxy file (generally /etc/haproxy/).

To configure you HAProxy instance optimally,with maximum security and compatibility, we recommend the following parameters :
global
    ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
    ssl-default-bind-ciphers !EDH:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!aNULL:!eNULL
    tune.ssl.default-dh-param 2048 

frontend http-in
    mode http
    option httplog
    option forwardfor
    option http-server-close
    option httpclose
    bind YOURIP:80
    redirect scheme https code 301 if !{ ssl_fc }

frontend https-in
    option httplog
    option forwardfor
    option http-server-close
    option httpclose
    rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
    rspadd X-Frame-Option:\ DENY
    bind YOURIP:443 ssl crt /etc/haproxy/haproxy.pem ciphers !EDH:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!aNULL:!eNULL force-tlsv12 no-sslv3
The following sections will be concerning various security recommendations.

Using a strong Diffie-Hellman group

To counter threats using DHE exchanges (Logjam for instance), you need to set a maximal group size, using the parameter tune.ssh.default-dh-param. We recommend at least 2048bits. The default value for this parameter is 1024, which is dangerously low. If your pem certificate file contains DH parameters, then this value will be ignored. You need to add this line to your global section:
tune.ssl.default-dh-param 2048

Using HSTS to enforce data encryption

To best protect your users, you need to enable HTTPS encryption in most cases, that's why the HTTP Strict Transport Security norm was created. To enable it, add the following lines to the corresponding configuration sections:
frontend http-in
    redirect scheme https code 301 if !{ ssl_fc }

frontend https-in
    rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains

See also