HAProxy Enterprise Documentation 1.8r2

Encrypt traffic

You can implement mutual TLS/SSL authentication and encrypt traffic between HAProxy Enterprise nodes and the Stick Table Aggregator, or between intermediate and top-level aggregators.

As an example, we will encrypt traffic between the HAProxy Enterprise nodes and the Stick Table Aggregator in the single-level configuration we created in the Single-level setup section.

The table below shows which certificates should be hosted on the HAProxy Enterprise cluster nodes and the aggregator:

Certificate

Description

Located on

ca.crt

Intermediate CA or Root CA certificate.

Stick Table Aggregator and all HAProxy Enterprise nodes

aggr1.pem

Stick Table Aggregator's CA-signed PEM-formatted TLS/SSL bundle (contains both the certificate and the private key, in this order).

Stick Table Aggregator

hapee1.pem

HAProxy Enterprise node's CA-signed PEM-formatted TLS/SSL bundle (contains both the certificate and the private key, in this order).

HAProxy Enterprise node hapee1

hapee2.pem

HAProxy Enterprise node's CA-signed PEM-formatted TLS/SSL bundle (contains both the certificate and the private key, in this order).

HAProxy Enterprise node hapee2

Configure the Stick Table Aggregator

The peers protocol allows either the HAProxy Enterprise nodes or the aggregator to initiate a connection. You must therefore provide the aggregator's certificate on all peer lines in the peers section.

Stick Table Aggregator configuration file
global
  stats socket /tmp/stktagg.socket

aggregations myaggr
  peer hapee1 192.168.56.101:44444       ssl verify required crt /etc/ssl/certs/aggr1.pem ca-file /etc/ssl/certs/ca.crt
  peer hapee2 192.168.56.102:44444       ssl verify required crt /etc/ssl/certs/aggr1.pem ca-file /etc/ssl/certs/ca.crt
  peer aggr1  192.168.56.111:11111 local ssl verify required crt /etc/ssl/certs/aggr1.pem ca-file /etc/ssl/certs/ca.crt
  from .uncombined to .aggr

Add the following directive on every peer line:

Directive

Description

ssl

Enables a TLS/SSL endpoint on the listener to encrypt and decrypt traffic.

verify

Option

Client certificate is requested

TLS/SSL handshake is successful

Default value

none

No

Yes

Yes

optional

Yes

Yes, even if the client does not provide a valid certificate

No

required

Yes

Only if the client provides a valid certificate

No

crt

File containing the PEM formatted certificate and the associated private key. Intermediary and root certificates may be included as well. When several certificates are provided, the client SNI determines the best one. If there is no SNI, the first certificate on the list is used.

ca-file

Intermediate CA or Root CA certificate used to validate certificates provided by HAProxy Enterprise nodes or Stick Table Aggregators.

Configure HAProxy Enterprise nodes

The peers protocol allows either the HAProxy Enterprise nodes or the aggregator to initiate a connection. You must therefore provide certificates on the following peers section lines:

  • server lines so that the node can initiate a TLS/SSL connection;

  • the bind line so that the node can accept a TLS/SSL connection.

HAProxy Enterprise node hapee1's configuration file
global
  stats socket /var/run/hapee-1.8/hapee-lb.sock

defaults
  mode httpfrontend fe_main
  bind *:80
  http-request track-sc0 src table mypeers/mytable.uncombined
  http-request deny deny_status 200

peers mypeers
  bind         192.168.56.101:44444 ssl verify required crt /etc/ssl/certs/hapee1.pem ca-file /etc/ssl/certs/ca.crt
  server hapee1                     ssl verify required crt /etc/ssl/certs/hapee1.pem ca-file /etc/ssl/certs/ca.crt
  server aggr1 192.168.56.111:11111 ssl verify required crt /etc/ssl/certs/hapee1.pem ca-file /etc/ssl/certs/ca.crt
  table  mytable.uncombined         type ip size 100 expire 1h store http_req_rate(1h)
  table  mytable.aggr               type ip size 100 expire 1h store http_req_rate(1h)
HAProxy Enterprise node hapee2's configuration file
global
  stats socket /var/run/hapee-1.8/hapee-lb.sock

defaults
  mode httpfrontend fe_main
  bind *:80
  http-request track-sc0 src table mypeers/mytable.uncombined
  http-request deny deny_status 200

peers mypeers
  bind         192.168.56.102:44444 ssl verify required crt /etc/ssl/certs/hapee2.pem ca-file /etc/ssl/certs/ca.crt
  server hapee2                     ssl verify required crt /etc/ssl/certs/hapee2.pem ca-file /etc/ssl/certs/ca.crt
  server aggr1 192.168.56.111:11111 ssl verify required crt /etc/ssl/certs/hapee2.pem ca-file /etc/ssl/certs/ca.crt
  table  mytable.uncombined         type ip size 100 expire 1h store http_req_rate(1h)
  table  mytable.aggr               type ip size 100 expire 1h store http_req_rate(1h)

Next up

Manage the service
HAProxyConf 2022 - Call for papers