HAProxy and SSL

HAProxy and SSL

SSL in HAProxy has been launched in September, 2012.
It allows the features below:
  * SSL offloading
  * Server side encryption
  * SNI (Server Name Indication TLS extension)
  * Client certificates (both on client side and server side)
  * SSL information provided in HTTP headers and available through customized log line

SSL offloading impact on web applications

Offloading SSL on HAProxy can have an impact on web application.
This article explain what impacts and how to fix issues with HAProxy: SSL offloading impact on web applications

How to force users to browse a web application over HTTPS

In order to force the website http://www.domain.tld to be browsed over a SSL/TLS connection, just add the line below in your ALOHA / HAProxy configuration:

http-request redirect scheme https if { hdr(Host) -i www.domain.tld } !{ ssl_fc }

(Requires ALOHA 5.5 or HAProxy 1.5-dev13 at least)

How to tell the server the connection client is browsing the website over a SSL/TLS secured connection?

The configuration directive below must be inserted in the Frontend configuration. It tells HAProxy to add a header named X-SSL which contains the information about the type of frontend connection:

http-request set-header X-SSL %[ssl_fc]

(Requires ALOHA 5.5 or HAProxy 1.5-dev17 at least)

The point on SNI

SNI is a TLS extension which makes the client to announce the server names it tries to join. Its main use case on the server side is to present the right certificate to the client and to use a single IP address to host multiple certificate.
Unfortunately, not all clients are compatible with this extension.

The list below summarizes clients that don’t send SNI:
  * Internet Explorer (any version) on Windows XP
  * Safari and Chrome releases prior v6.0 on Windows XP
  * Internet Explorer 6 and below
  * Java before 1.7
  * Android default browser on Android 2.x
  * Windows Mobile up to 6.5
(source: http://en.wikipedia.org/wiki/Server_Name_Indication#Client_side and HAProxy users experience)

Protection against the SSL Beast attack

Everything is explained in this blog post:

1 Response to HAProxy and SSL

  1. sabamimi says:

    Thanks a lot.
    Those tips help greatly to improve Haproxy conf in my Synology.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s