After to much googling, i finally made my haproxy ssl to works. But now i got problem because root and intermediate certificate is not installed so my ssl don`t have green bar.
My haproxy config
global
maxconn 4096
nbproc 1
#debug
daemon
log 127.0.0.1 local0
defaults
mode http
option httplog
log global
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend unsecured
bind 192.168.0.1:80
timeout client 86400000
reqadd X-Forwarded-Proto:\ http
default_backend www_backend
frontend secured
mode http
bind 192.168.0.1:443 ssl crt /etc/haproxy/cert.pem
reqadd X-Forwarded-Proto:\ https
default_backend www_backend
backend www_backend
mode http
balance roundrobin
#cookie SERVERID insert indirect nocache
#option forwardfor
server server1 192.168.0.2:80 weight 1 maxconn 1024 check
server server2 192.168.0.2:80 weight 1 maxconn 1024 check
192.168.0.1 is my load balancer ip. /etc/haproxy/cert.pem contain private key and domain certificate eg. www.domain.com
There is another question with ssl configuration, which include bundle.crt. When i contacted my ssl support, they told me i need to install root and intermediate certificate.
From Comodo Documentation, creating bundle is simple as merging their crt, which i made.
But when i try to reconfig my haproxy config as
bind 192.168.0.1:443 ssl crt /etc/haproxy/cert.pem ca-file /path/to/bundle.crt
Im getting error that i cant use that config parameter on bind.
p.s im using 1.5 dev12 version. With latest dev17 version i had problems even starting haproxy as on this post
It looks like you'll need to recompile like so:
make clean
make \
TARGET="linux26" \
USE_STATIC_PCRE=1 \
USE_OPENSSL=1
make install PREFIX="/opt/haproxy"
After that, bind
should recognise your crt option.
In my case, I used:
bind 0.0.0.0:443 ssl crt /envs/production/ssl/haproxy.pem
I concatenated all ssl files into 1 big file in the order certificate chain, private key. e.g.:
-----BEGIN MY CERTIFICATE-----
-----END MY CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN ROOT CERTIFICATE-----
-----END ROOT CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Restart, and test with openssl s_client -connect 127.0.0.1:443 -servername www.transloadit.com |head
.
It should return the correct certificate information.
Edit: I just found this tutorial via HackerNews: https://serversforhackers.com/c/using-ssl-certificates-with-haproxy. Thought it would be useful to add as it goes into more detail.