HAProxy Enterprise Documentation 1.8r2

Encrypt traffic

You can implement mutual TLS/SSL authentication and encrypt traffic between HAProxy Enterprise nodes and the Stick Table Aggregator, or between intermediate and top-level aggregators.

As an example, we will encrypt traffic between the HAProxy Enterprise nodes and the Stick Table Aggregator in the single-level configuration we created in the Single-level setup section.

Note

This section builds upon the single-level setup section. Please read the Single-level setup section first.

The table below shows which certificates should be hosted on the HAProxy Enterprise cluster nodes and the aggregator:

Certificate	Description	Located on
ca.crt	Intermediate CA or Root CA certificate.	Stick Table Aggregator and all HAProxy Enterprise nodes
aggr1.pem	Stick Table Aggregator's CA-signed PEM-formatted TLS/SSL bundle (contains both the certificate and the private key, in this order).	Stick Table Aggregator
hapee1.pem	HAProxy Enterprise node's CA-signed PEM-formatted TLS/SSL bundle (contains both the certificate and the private key, in this order).	HAProxy Enterprise node hapee1
hapee2.pem	HAProxy Enterprise node's CA-signed PEM-formatted TLS/SSL bundle (contains both the certificate and the private key, in this order).	HAProxy Enterprise node hapee2

Warning

The certificates contain secret keys. Copy all certificates to the machines which need them over a secure channel.

Configure the Stick Table Aggregator

The peers protocol allows either the HAProxy Enterprise nodes or the aggregator to initiate a connection. You must therefore provide the aggregator's certificate on all peer lines in the peers section.

Stick Table Aggregator configuration file

global
  stats socket /tmp/stktagg.socket

aggregations myaggr
  peer hapee1 192.168.56.101:44444       ssl verify required crt /etc/ssl/certs/aggr1.pem ca-file /etc/ssl/certs/ca.crt
  peer hapee2 192.168.56.102:44444       ssl verify required crt /etc/ssl/certs/aggr1.pem ca-file /etc/ssl/certs/ca.crt
  peer aggr1  192.168.56.111:11111 local ssl verify required crt /etc/ssl/certs/aggr1.pem ca-file /etc/ssl/certs/ca.crt
  from .uncombined to .aggr

Add the following directive on every peer line:

Directive

Description

ssl

Enables a TLS/SSL endpoint on the listener to encrypt and decrypt traffic.

verify

Option	Client certificate is requested	TLS/SSL handshake is successful	Default value
`none`	No	Yes	Yes
`optional`	Yes	Yes, even if the client does not provide a valid certificate	No
`required`	Yes	Only if the client provides a valid certificate	No

crt

File containing the PEM formatted certificate and the associated private key. Intermediary and root certificates may be included as well. When several certificates are provided, the client SNI determines the best one. If there is no SNI, the first certificate on the list is used.

ca-file

Intermediate CA or Root CA certificate used to validate certificates provided by HAProxy Enterprise nodes or Stick Table Aggregators.

Configure HAProxy Enterprise nodes

The peers protocol allows either the HAProxy Enterprise nodes or the aggregator to initiate a connection. You must therefore provide certificates on the following peers section lines:

server lines so that the node can initiate a TLS/SSL connection;
the bind line so that the node can accept a TLS/SSL connection.

HAProxy Enterprise node hapee1's configuration file

global
  stats socket /var/run/hapee-1.8/hapee-lb.sock

defaults
  mode httpfrontend fe_main
  bind *:80
  http-request track-sc0 src table mypeers/mytable.uncombined
  http-request deny deny_status 200

peers mypeers
  bind         192.168.56.101:44444 ssl verify required crt /etc/ssl/certs/hapee1.pem ca-file /etc/ssl/certs/ca.crt
  server hapee1                     ssl verify required crt /etc/ssl/certs/hapee1.pem ca-file /etc/ssl/certs/ca.crt
  server aggr1 192.168.56.111:11111 ssl verify required crt /etc/ssl/certs/hapee1.pem ca-file /etc/ssl/certs/ca.crt
  table  mytable.uncombined         type ip size 100 expire 1h store http_req_rate(1h)
  table  mytable.aggr               type ip size 100 expire 1h store http_req_rate(1h)

HAProxy Enterprise node hapee2's configuration file

global
  stats socket /var/run/hapee-1.8/hapee-lb.sock

defaults
  mode httpfrontend fe_main
  bind *:80
  http-request track-sc0 src table mypeers/mytable.uncombined
  http-request deny deny_status 200

peers mypeers
  bind         192.168.56.102:44444 ssl verify required crt /etc/ssl/certs/hapee2.pem ca-file /etc/ssl/certs/ca.crt
  server hapee2                     ssl verify required crt /etc/ssl/certs/hapee2.pem ca-file /etc/ssl/certs/ca.crt
  server aggr1 192.168.56.111:11111 ssl verify required crt /etc/ssl/certs/hapee2.pem ca-file /etc/ssl/certs/ca.crt
  table  mytable.uncombined         type ip size 100 expire 1h store http_req_rate(1h)
  table  mytable.aggr               type ip size 100 expire 1h store http_req_rate(1h)

Next up

Manage the service