Load balancing

SSL

Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are protocols that encrypt messages between a client and server so that no one can eavesdrop on the communication. These protocols also ensure that the client can trust that they are connecting to the server they intended to, since the server must present a cryptographic certificate encoded with its domain name, and that certificate must have been signed by a trusted third-party certificate authority.

In this section, you will learn how to manage SSL/TLS certificates and keys in HAProxy ALOHA. HAProxy ALOHA can store SSL certficates that you can then use in your load balancer configuration to secure the traffic between clients and your services.

Create a public-facing certificate Jump to heading

To get a public-facing certificate, you must first create a certificate signing request, which you will send to a Certificate Authority. The Certificate Authority will then return to you a signed certificate.

  1. From the SSL tab, click New.

  2. Give the certificate a name by setting the Choose SSL certificate name field. Only letters, numbers and underscores are allowed.

  3. Set a private key for your certificate by either:

    • Generating a new key by setting the Generate a Private Key bits field and then clicking Generate.

    • Selecting Upload a Private Key and then either pasting your key into the box or uploading it, then clicking Upload.

      • Use at least 2048 bits for public-facing certificates.
      • Your private key will not be sent to the Certificate Authority with your certificate signing request. You should keep your key secret.
  4. The Build Certificate Request dialog displays. Set each of the properties under Build Certificate Request, then click Request.

  5. Copy and send the certificate signing request to your Certificate Authority.

  6. When you receive the signed server certificate from the Certificate Authority, click Edit on the row of the incomplete certificate signing request.

  7. Paste your certificate and then click Upload. You can also paste below the certificate all intermediate certificates, if any.

  8. To make the configuration changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.

Create a self-signed certificate Jump to heading

A self-signed certificate is not signed by a trusted Certificate Authority, which means that client browsers will not trust it by default. However, a self-signed certificate is convenient for internal, test environments or when internal users are fine with clicking past the browser’s warnings.

  1. From the SSL tab, click New.

  2. Give the certificate a name by setting the Choose SSL certificate name field.

  3. Set the size of the certificate’s private key by setting the Generate a Private Key bits field, then click Generate.

  4. The Build Certificate Request dialog displays. Set each of the properties under Build Certificate Request, then click Request.

  5. The certificate signing request information displays. Click Sign to self-sign the certificate.

  6. To make the configuration changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.

Upload an existing certificate Jump to heading

You can upload a certificate that you already have. Note that your key file and certificate file must be separate files.

  1. From the SSL tab, click New.

  2. Give the certificate a name by setting the Choose SSL certificate name field.

  3. Select Upload a Private Key and then either:

    • Paste your key into the box and then click Upload.
    • Browse to your key file and then click Upload.
  4. The Build Certificate Request dialog displays. Select Upload Certificate and then either:

    • Paste your existing certificate into the box and then click Upload.
    • Browse to your certificate file and then click Upload.
  5. To make the configuration changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.

Update a certificate Jump to heading

You can update an existing certificate, such as to replace one that has expired.

  • If the former and newer certificates use the same private key:

    1. From the SSL tab, click Edit on the row you want to update.

    2. In the Certificate text area, replace the former certificate with the content of the new one. Or, upload a new certificate.

    3. From the Services tab, reload the haproxy service. If an error occurs, restart the service, which will revert to using the former certificates and configuration.

    4. To update the certificates on all cluster members, click Push service haproxy configuration on ALOHA peer.

  • If the former and newer certificates use different private keys:

    1. From the SSL tab, click Edit on the row you want to update.

    2. Click Delete on the row you want to delete. This is the certificate and key that you will re-upload.

    3. Upload the updated certificate and new private key.

    4. From the Services tab, reload the haproxy service. If an error occurs, restart the service, which will revert to using the former certificates and configuration.

    5. To update the certificates on all cluster members, click Push service haproxy configuration on ALOHA peer.

  1. To make the configuration changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.

List certificates Jump to heading

You can display existing Server Certificates and their statuses by selecting the SSL tab in the Web UI.

The following information about existing certificates displays:

Column Description
Name Label used to reference this certificate in HAProxy ALOHA’s configuration.
Domain Common Name (or CN) of the certificate.
Not Before Date from when the certificate is valid.
Not After Date until when the certificate is valid. When a certificate expires, this date appears in bold red.
Verify State of the validation of the certificate. See below.

The Verify column can show any of the following states:

State Description
Broken chain When a certificate chain is incomplete or the full chain cannot be validated (outdated intermediary, etc.)
CA only (no key) When a certificate can be used to validate client certificates only.
Incomplete When either the private key and the certificate or the certificate is missing.
Valid When everything is fine and safe.
Self-Signed When the certificate was generated and signed by HAProxy ALOHA itself.

Use an SSL certificate Jump to heading

You can refer to your certificate in the load balancer configuration by the Name shown on the SSL tab. For example, for a certificate named mycert, on the LB Layer7 tab you would use:

haproxy
frontend www
bind :443 ssl crt mycert
haproxy
frontend www
bind :443 ssl crt mycert

For more examples, see HAProxy configuration tutorials - SSL / TLS.

Do you have any suggestions on how we can improve the content of this page?