Encrypt traffic
You can implement mutual TLS/SSL authentication and encrypt traffic between HAProxy Enterprise nodes and the Stick Table Aggregator, or between intermediate and top-level aggregators.
As an example, we will encrypt traffic between the HAProxy Enterprise nodes and the Stick Table Aggregator in the single-level configuration we created in the Single-level setup section.
The table below shows which certificates should be hosted on the HAProxy Enterprise cluster nodes and the aggregator:
Certificate | Description | Located on |
---|---|---|
ca.crt | Intermediate CA or Root CA certificate. | Stick Table Aggregator and all HAProxy Enterprise nodes |
aggr1.pem | Stick Table Aggregator's CA-signed PEM-formatted TLS/SSL bundle (contains both the certificate and the private key, in this order). | Stick Table Aggregator |
hapee1.pem | HAProxy Enterprise node's CA-signed PEM-formatted TLS/SSL bundle (contains both the certificate and the private key, in this order). | HAProxy Enterprise node hapee1 |
hapee2.pem | HAProxy Enterprise node's CA-signed PEM-formatted TLS/SSL bundle (contains both the certificate and the private key, in this order). | HAProxy Enterprise node hapee2 |
Configure the Stick Table Aggregator
The peers protocol allows either the HAProxy Enterprise nodes or the aggregator to initiate a connection. You must therefore provide the aggregator's certificate on all peer
lines in the peers
section.
- Stick Table Aggregator configuration file
-
global stats socket
/tmp/stktagg.socketaggregations myaggr peerhapee1192.168.56.101:44444 ssl verify required crt/etc/ssl/certs/aggr1.pemca-file/etc/ssl/certs/ca.crtpeerhapee2192.168.56.102:44444 ssl verify required crt/etc/ssl/certs/aggr1.pemca-file/etc/ssl/certs/ca.crtpeeraggr1192.168.56.111:11111 local ssl verify required crt/etc/ssl/certs/aggr1.pemca-file/etc/ssl/certs/ca.crtfrom .uncombined to .aggr
Add the following directive on every peer
line:
Directive | Description | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Enables a TLS/SSL endpoint on the listener to encrypt and decrypt traffic. | ||||||||||||||||
|
| ||||||||||||||||
| File containing the PEM formatted certificate and the associated private key. Intermediary and root certificates may be included as well. When several certificates are provided, the client SNI determines the best one. If there is no SNI, the first certificate on the list is used. | ||||||||||||||||
| Intermediate CA or Root CA certificate used to validate certificates provided by HAProxy Enterprise nodes or Stick Table Aggregators. |
Configure HAProxy Enterprise nodes
The peers protocol allows either the HAProxy Enterprise nodes or the aggregator to initiate a connection. You must therefore provide certificates on the following peers
section lines:
server
lines so that the node can initiate a TLS/SSL connection;the
bind
line so that the node can accept a TLS/SSL connection.
- HAProxy Enterprise node hapee1's configuration file
-
global stats socket
/var/run/hapee-1.9/hapee-lb.sockdefaults mode httpfrontend fe_main bind *:80 http-request track-sc0 src table mypeers/mytable.uncombined http-request deny deny_status 200 peers mypeers bind 192.168.56.101:44444 ssl verify required crt/etc/ssl/certs/hapee1.pemca-file/etc/ssl/certs/ca.crtserver hapee1 ssl verify required crt/etc/ssl/certs/hapee1.pemca-file/etc/ssl/certs/ca.crtserver aggr1 192.168.56.111:11111 ssl verify required crt/etc/ssl/certs/hapee1.pemca-file/etc/ssl/certs/ca.crttable mytable.uncombined type ip size 100 expire 1h store http_req_rate(1h) table mytable.aggr type ip size 100 expire 1h store http_req_rate(1h) - HAProxy Enterprise node hapee2's configuration file
-
global stats socket
/var/run/hapee-1.9/hapee-lb.sockdefaults mode httpfrontend fe_main bind *:80 http-request track-sc0 src table mypeers/mytable.uncombined http-request deny deny_status 200 peers mypeers bind 192.168.56.102:44444 ssl verify required crt/etc/ssl/certs/hapee2.pemca-file/etc/ssl/certs/ca.crtserver hapee2 ssl verify required crt/etc/ssl/certs/hapee2.pemca-file/etc/ssl/certs/ca.crtserver aggr1 192.168.56.111:11111 ssl verify required crt/etc/ssl/certs/hapee2.pemca-file/etc/ssl/certs/ca.crttable mytable.uncombined type ip size 100 expire 1h store http_req_rate(1h) table mytable.aggr type ip size 100 expire 1h store http_req_rate(1h)
Next up
Manage the service