HAProxy and SSL

HAProxy and SSL


SSL in HAProxy has been launched in September, 2012.
It allows the features below:
  * SSL offloading
  * Server side encryption
  * SNI (Server Name Indication TLS extension)
  * Client certificates (both on client side and server side)
  * SSL information provided in HTTP headers and available through customized log line

SSL offloading impact on web applications


Offloading SSL on HAProxy can have an impact on web application.
This article explain what impacts and how to fix issues with HAProxy: SSL offloading impact on web applications

How to force users to browse a web application over HTTPS


In order to force the website www.domain.tld to be browsed over a SSL/TLS connection, just add the line below in your ALOHA / HAProxy configuration:

http-request redirect scheme https if { hdr(Host) -i www.domain.tld } !{ ssl_fc }

(Requires ALOHA 5.5 or HAProxy 1.5-dev13 at least)

How to tell the server the connection client is browsing the website over a SSL/TLS secured connection?


The configuration directive below must be inserted in the Frontend configuration. It tells HAProxy to add a header named X-SSL which contains the information about the type of frontend connection:

http-request set-header X-SSL %[ssl_fc]

(Requires ALOHA 5.5 or HAProxy 1.5-dev17 at least)

The point on SNI


SNI is a TLS extension which makes the client to announce the server names it tries to join. Its main use case on the server side is to present the right certificate to the client and to use a single IP address to host multiple certificate.
Unfortunately, not all clients are compatible with this extension.

The list below summarizes clients that don’t send SNI:
  * Internet Explorer (any version) on Windows XP
  * Safari and Chrome releases prior v6.0 on Windows XP
  * Internet Explorer 6 and below
  * Java before 1.7
  * Android default browser on Android 2.x
  * Windows Mobile up to 6.5
(source: http://en.wikipedia.org/wiki/Server_Name_Indication#Client_side and HAProxy users experience)

Protection against the SSL Beast attack


Everything is explained in this blog post:
http://blog.exceliance.fr/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/

One thought on “HAProxy and SSL”

Leave a Reply

Your email address will not be published. Required fields are marked *