SSL/TLS
Server-side encryption
You can encrypt traffic between the load balancer and backend servers. TLS is the successor to Secure Sockets Layer (SSL), which is now deprecated.
To configure TLS between the load balancer and your backend servers, add the ssl and verify arguments to your server lines in a backend:
haproxy
haproxy
In this example:
- The
sslargument enables TLS to the server. - The
verifyargument indicates whether to verify that the server’s TLS certificate was signed by a trusted Certificate Authority (CA). - The
ca-fileargument sets the CA for validating the server’s certificate.
Typically, you will use port 443, which signifies the HTTPS protocol, when connecting to servers over TLS.
About the verify argument
Setting verify to required configures the load balancer to check the server’s certificate against a Certificate Authority (CA) certificate, which you specify with the ca-file argument. You can also set ca-file to @system-ca, in which case it will refer to the trusted CAs from your operating system.
You can also set verify to none, which means don’t check that the server’s certificate is trusted. This is helpful when the server uses a self-signed certificate.
You can also include a crl-file parameter to indicate a certificate revocation list.
When mode is set to http, you can send an SNI value to your backend servers. Add the sni argument followed by a fetch method that returns the name you wish to use. Often, you will use the req.hdr fetch to get the Host header value, as shown below:
haproxy
haproxy
See also Jump to heading
- To enable SSL deciphering, see ssl.
- To set the default behavior for SSL verification on the server side, see ssl-server-verify.
- To specify a PEM file containing a CA certificate, see ca-file reference.
- To specify whether the server certificate should be verified, see verify reference.
Do you have any suggestions on how we can improve the content of this page?