Enterprise modules
SSL-CRL
Available since
- HAProxy Enterprise 2.9r1
The SSL-CRL filter periodically checks SSL client certificates and closes any connections that rely on revoked or expired client certificates.
By default, the load balancer does not close an SSL connection between a client and backend server when an SSL certificate expires or is revoked. Consequently, the revocation of a client certificate does not prevent a client from accessing a server until the client closes their connection themselves.
A client can continue to use saved SSL session data as long as the server does not check the validity of the client certificate and the SSL session does not time out. Once the timeout period expires, new connections cannot be established, but existing connections are not closed. The timeout period is 7200 seconds or the HAProxy tune.ssl.lifetime configuration parameter.
To enable timely termination of connections when client certificates expire or are revoked, use the SSL-CRL module. The module implements a filter that periodically checks client certificates to see if they are valid. If a client SSL certificate expires or is revoked, the module closes the connection with the client.
For more information on certificates, see the Client certificate authentication tutorial.
Install the SSL-CRL module Jump to heading
-
Install the module using your package manager:
nixsudo apt-get install hapee-2.9r1-lb-sslcrlnixsudo apt-get install hapee-2.9r1-lb-sslcrlnixsudo yum install hapee-2.9r1-lb-sslcrlnixsudo yum install hapee-2.9r1-lb-sslcrlnixsudo zypper install hapee-2.9r1-lb-sslcrlnixsudo zypper install hapee-2.9r1-lb-sslcrlnixsudo pkg install hapee-2.9r1-lb-sslcrlnixsudo pkg install hapee-2.9r1-lb-sslcrl -
In the
globalsection of your configuration file, load the module:haproxyglobalmodule-path /opt/hapee-2.9/modulesmodule-load hapee-lb-sslcrl.sohaproxyglobalmodule-path /opt/hapee-2.9/modulesmodule-load hapee-lb-sslcrl.so -
In the frontend, listen, or backend sections where you want to enable the filter, add the
filter sslcrldirective.- The listen, frontend, or backend section must be run in TCP mode by using
mode tcp. - Add a
binddirective that listens over HTTPS (port443). - Verify client certificates by including
verify requiredand theca-fileargument in thebinddirective. - Reference a certificate revocation list file by using the
crl-fileargument. The SSL-CRL module will watch the in-memory representation of this CRL file.
Example: Define a filter with all options set to the default values:
haproxyfrontend fe_productionmode tcpbind :443 ssl crt /certs/site.pem verify required ca-file /certs/ca.crt crl-file /certs/revoked.crlfilter sslcrl id sslcrl-prod-1haproxyfrontend fe_productionmode tcpbind :443 ssl crt /certs/site.pem verify required ca-file /certs/ca.crt crl-file /certs/revoked.crlfilter sslcrl id sslcrl-prod-1Optionally, you can specify SSL-CRL configuration options in a named
sslcrlsection. Then refer to this section by name in anyfilter sslcrldirective where you wish to apply the configuration.Example: Define a filter named
sslcrl-prod-1with options set in a filter configuration section namedsslcrl-prod-1-config:haproxysslcrl sslcrl-prod-1-configlog globallog-format "%ci:%cp [%t] %ft %bi:%bp"option hard-errorscheck-interval 10sfrontend fe_productionmode tcpbind :443 ssl crt /certs/site.pem verify required ca-file /certs/ca.crt crl-file /certs/revoked.crlfilter sslcrl id sslcrl-prod-1 config sslcrl-prod-1-confighaproxysslcrl sslcrl-prod-1-configlog globallog-format "%ci:%cp [%t] %ft %bi:%bp"option hard-errorscheck-interval 10sfrontend fe_productionmode tcpbind :443 ssl crt /certs/site.pem verify required ca-file /certs/ca.crt crl-file /certs/revoked.crlfilter sslcrl id sslcrl-prod-1 config sslcrl-prod-1-config - The listen, frontend, or backend section must be run in TCP mode by using
Example Configuration Jump to heading
hapee-lb.cfghaproxy
hapee-lb.cfghaproxy
Certificate operations Jump to heading
The procedures in this section are based on a simple scenario where an organization has one self-signed Certificate Authority (CA) certificate that is used both to create client certificates and to authenticate clients.
Info
The certificates addressed in this section are the ones your server uses to authenticate and trust clients. These are not related to the site certificate that the server provides to clients so the clients can trust your server. The site certificate, typically issued by an external third-party vendor, is specified by the ssl crt parameter of the bind directive.
Create a self-signed Certificate Authority Jump to heading
A self-signed Certificate Authority (CA) is the certificate that your organization uses both to create client certificates and to authenticate clients. Your organization acts as the Certificate Authority, authenticating certificates when they are presented by clients.
You create your organization’s self-signed CA certificate yourself. You do not have to procure one from an external CA. In your load balancer configuration you specify the self-signed CA certificate file name using the ca-file parameter in the bind directive.
Creating a Certificate Authority involves generating a CA key pair, creating a self-signed CA certificate, and configuring the CA to sign other certificates. You can accomplish it all with a single openssl command.
-
Generate a CA key pair and self-signed certificate:
nixopenssl req \-newkey rsa:2048 \-nodes \-x509 \-days 3650 \-keyout self-CA-key.pem \-out self-CA.crtnixopenssl req \-newkey rsa:2048 \-nodes \-x509 \-days 3650 \-keyout self-CA-key.pem \-out self-CA.crtLearn more about this command
The options of this command break down as follows:
openssl reqcreates and processes certificate signing requests (CSRs) and certificates.-newkey rsa:2048specifies the generation of a new RSA key pair with a key size of 2048 bits.-nodesindicates that the private key should not be encrypted with a passphrase and will be saved in an unencrypted format.-x509tells OpenSSL to generate a self-signed certificate instead of a CSR.-days 3650specifies the validity period of the certificate as 3650 days (approximately 10 years).-keyoutdesignates the file name ofself-CA-key.pemfor the private key.-out self-CA.crtsets the certificate.
The command also prompts you to enter information for the certificate, such as the Common Name (CN), organization details, and so on. Fill in the required fields accordingly.
-
To display the details of the CA certificate and verify its information, use the
openssl x509command:nixopenssl x509 -in self-CA.crt -text -nooutnixopenssl x509 -in self-CA.crt -text -nooutAfter following these steps, you should have the self-signed certificate
self-CA.crt. Remember to adjust the file names and paths according to your specific setup. Keep the CA keyself-CA-key.pemsecret.
Verify client certificates Jump to heading
-
In your load balancer configuration, enable verification of client certificates by setting
verifytorequiredon abindline. Theca-fileparameter specifies the CA file to use to verify:haproxyfrontend wwwmode tcpbind :443 ssl crt /certs/site.pem verify required ca-file /certs/self-CA.crthaproxyfrontend wwwmode tcpbind :443 ssl crt /certs/site.pem verify required ca-file /certs/self-CA.crt -
Reload the load balancer.
nixsudo systemctl reload hapee-2.9-lbnixsudo systemctl reload hapee-2.9-lbWith this change, only clients with properly signed client certificates can access the server.
Info
Reloading the load balancer does not affect open connections. It only affects new connections.
Create a client certificate Jump to heading
A client must have a signed certificate to access your server. The client certificate is known to be authentic and reliable because you have signed it using your organization’s self-signed CA certificate.
Creating a client certificate involves creating a certificate request, which can be completed by the client or by you, the administrator. Then the administrator signs the request and sends the resulting certificate to the client.
-
The client or you, the administrator, create a certificate request (CSR). Create a request for Alice:
nixopenssl req \-newkey rsa:2048 \-nodes \-days 3650 \-subj "/CN=exampleUser/O=exampleOrganization" \-keyout alice-key.pem \-out alice-cert.csrnixopenssl req \-newkey rsa:2048 \-nodes \-days 3650 \-subj "/CN=exampleUser/O=exampleOrganization" \-keyout alice-key.pem \-out alice-cert.csrIn addition to the certificate request, this command creates the client key,
alice-key.pemin this example. The client needs to keep this key in a secret place. -
You, the administrator, create an
opensslconfiguration (CNF) file with these contents:client-cert-extensions.cnftextbasicConstraints = CA:FALSEkeyUsage = digitalSignatureextendedKeyUsage = clientAuthsubjectKeyIdentifier = hashauthorityKeyIdentifier = keyid,issuerclient-cert-extensions.cnftextbasicConstraints = CA:FALSEkeyUsage = digitalSignatureextendedKeyUsage = clientAuthsubjectKeyIdentifier = hashauthorityKeyIdentifier = keyid,issuer -
Using your organization’s self-signed CA and client request (CSR), sign the certificate:
nixopenssl x509 \-req \-in alice-cert.csr \-out alice-cert.crt \-CA self-CA.crt \-CAkey self-CA-key.pem \-CAcreateserial \-days 7770 \-extfile client-cert-extensions.cnfnixopenssl x509 \-req \-in alice-cert.csr \-out alice-cert.crt \-CA self-CA.crt \-CAkey self-CA-key.pem \-CAcreateserial \-days 7770 \-extfile client-cert-extensions.cnfSend the certificate,
alice-cert.crtin this example, to user Alice. Alice can now use the certificate.If you also generated the CSR, also send the user’s key,
alice-key.pemto the user. Again, user Alice needs to keep this key in a secret place.
Certificate Revocation Lists Jump to heading
A Certificate Revocation List (CRL) contains a list of the certificates that have been revoked.
Create a CRL Jump to heading
To create a CRL:
-
Create the directory structure and necessary files. You can choose different directory paths, however ensure all created files are in the proper locations:
nixmkdir -p ./databaseCA/certs ./databaseCA/private ./databaseCA/crltouch ./databaseCA/index.txt ./databaseCA/serial ./databaseCA/crlnumberecho 01 > ./databaseCA/serialecho 1000 > ./databaseCA/crlnumbernixmkdir -p ./databaseCA/certs ./databaseCA/private ./databaseCA/crltouch ./databaseCA/index.txt ./databaseCA/serial ./databaseCA/crlnumberecho 01 > ./databaseCA/serialecho 1000 > ./databaseCA/crlnumber -
Copy your CA certificate and private key into the
databaseCAdirectory.nixcp self-CA.crt ./databaseCAcp self-CA-key.pem ./databaseCA/privatenixcp self-CA.crt ./databaseCAcp self-CA-key.pem ./databaseCA/private -
You’ll need a configuration file for OpenSSL. An example file named
openssl.cnfcan usually be found in the directories/usr/lib/ssl/or/etc/ssl/. Copy this to the current directory. Below is an example snippet from the file, modified for the certificates we created:openssl.cnfini# OpenSSL example configuration file.# See doc/man5/config.pod for more info.####################################################################[ ca ]default_ca = CA_default # The default ca section####################################################################[ CA_default ]dir = ./databaseCA # Where everything is keptcerts = $dir/certs # Where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file.new_certs_dir = $dir/newcerts # default place for new certs.certificate = $dir/self-CA.crt # The CA certificateserial = $dir/serial # The current serial numbercrlnumber = $dir/crlnumber # the current crl numbercrl = $dir/crl.pem # The current CRLprivate_key = $dir/private/self-CA-key.pem # The private keyx509_extensions = usr_cert # The extensions to add to the certcrl_extensions = crl_extdefault_days = 3650 # how long to certify fordefault_crl_days = 30 # how long before next CRLdefault_md = sha256 # use SHA-256 by defaultpreserve = no # keep passed DN ordering[ crl_ext ]authorityKeyIdentifier=keyid:alwaysopenssl.cnfini# OpenSSL example configuration file.# See doc/man5/config.pod for more info.####################################################################[ ca ]default_ca = CA_default # The default ca section####################################################################[ CA_default ]dir = ./databaseCA # Where everything is keptcerts = $dir/certs # Where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file.new_certs_dir = $dir/newcerts # default place for new certs.certificate = $dir/self-CA.crt # The CA certificateserial = $dir/serial # The current serial numbercrlnumber = $dir/crlnumber # the current crl numbercrl = $dir/crl.pem # The current CRLprivate_key = $dir/private/self-CA-key.pem # The private keyx509_extensions = usr_cert # The extensions to add to the certcrl_extensions = crl_extdefault_days = 3650 # how long to certify fordefault_crl_days = 30 # how long before next CRLdefault_md = sha256 # use SHA-256 by defaultpreserve = no # keep passed DN ordering[ crl_ext ]authorityKeyIdentifier=keyid:alwaysThe above is just the
CA_defaultportion of a default OpenSSL configuration, not the entireopenssl.cnffile.In this configuration,
./databaseCAis the directory where OpenSSL will store its database of certificates,./databaseCA/private/self-CA-key.pemis the CA’s private key, and./databaseCA/self-CA.crtis the CA’s certificate.- Ensure the directory and file paths match your environment, which we created in Step 1.
- Consult the openssl ca documentation for a complete list of configuration options.
-
Generate the file
revoked.crl, which will contain the list of revoked certificates:nixsudo openssl ca -config openssl.cnf -gencrl -out /certs/revoked.crlnixsudo openssl ca -config openssl.cnf -gencrl -out /certs/revoked.crlYou can create a CRL file even before a certificate has been revoked. In this case, the revocation list will be empty inside the CRL.
Configure the load balancer Jump to heading
By using Certificate Revocation Lists, you can revoke client certificates in your load balancer environment. Revoked certificates will be denied access based on your configured CRL file.
Here is an example snippet in which we add the crl-file argument to deny access to clients who have revoked certificates:
haproxy
haproxy
Revoke a certificate Jump to heading
To revoke a client certificate:
-
Invoke the
openssl cacommand with the-revokeargument:nixsudo openssl ca -config openssl.cnf -revoke alice-cert.crtnixsudo openssl ca -config openssl.cnf -revoke alice-cert.crtThis will immediately revoke the certificate
alice-cert.crtas confirmed by the output:outputtextUsing configuration from openssl.cnfRevoking Certificate 01.Data Base UpdatedoutputtextUsing configuration from openssl.cnfRevoking Certificate 01.Data Base Updated -
Update the CRL file:
nixsudo openssl ca -config openssl.cnf -gencrl -out /certs/revoked.crlnixsudo openssl ca -config openssl.cnf -gencrl -out /certs/revoked.crl -
Reload the load balancer configuration.
Update the CRL in HAProxy Enterprise Jump to heading
Update the in-memory representation of the CRL file in HAProxy Enterprise by using the Runtime API.
-
Replace the current CRL file with
/certs/revoked.crl:nixecho -e "set ssl crl-file /certs/revoked.crl <<\n$(cat /certs/revoked.crl)\n" | \sudo socat stdio tcp4-connect:127.0.0.1:9999nixecho -e "set ssl crl-file /certs/revoked.crl <<\n$(cat /certs/revoked.crl)\n" | \sudo socat stdio tcp4-connect:127.0.0.1:9999 -
Commit the in-memory CRL change, making the change effective immediately:
nixecho -e "commit ssl crl-file /certs/revoked.crl" | \sudo socat stdio tcp4-connect:127.0.0.1:9999nixecho -e "commit ssl crl-file /certs/revoked.crl" | \sudo socat stdio tcp4-connect:127.0.0.1:9999
Always remember to persist Runtime API changes by making analogous changes to the corresponding files on disk.
Info
Even after a client’s certificate is revoked, web pages or other controlled resources from the server may persist in the client’s cache.
Configuration directive reference Jump to heading
To use the SSL-CRL module, configure HAProxy Enterprise as follows.
sslcrl-add-crls Jump to heading
Used in the global section, the sslcrl-add-crls directive specifies that when new revocation lists are added to the load balancer using the Runtime API, the previous revocation lists should be retained. With this option, you can add revocation lists incrementally, in multiple Runtime API commands. By default, adding a revocation list to the load balancer deletes the previously loaded lists from memory. Optional.
haproxy
haproxy
filter directive Jump to heading
The filter sslcrl directive enables the SSL-CRL filter for the listen, frontend, or backend section. Required. The filter sslcrl directive is supported in the listen, frontend, and backend sections.
Important
The listen, frontend, or backend section must be run in TCP mode.
The directive has these parameters.
| Parameter | Description |
|---|---|
id <name> |
This parameter specifies an ID for the filter. If you do not specify an ID, the ID is set to <section>-<section-id>. Use the ID when using Runtime API commands. The ID identifies the filter in log messages. Optional. |
config <section-name> |
This parameter specifies the name of the configuration section for the filter. You define a filter configuration section using the sslcrl directive when you need to override the default filter configuration values. The configuration section must precede the listen, frontend, or backend section that uses it. Optional. |
Example: Define an SSL-CRL filter named sslcrl-prod-1 having a configuration section named sslcrl-prod-1-config.
haproxy
haproxy
sslcrl configuration directive Jump to heading
Create an sslcrl section to set additional options. It takes a name argument, which should match the value of the config argument on the filter sslcrl line. Multiple listen, frontend, and backend sections can refer to the same sslcrl configuration section.
You can specify the following directives in the sslcrl configuration section.
| Directive | Description |
|---|---|
log { global | <addr> [len <len>] [format <fmt>] <facility> [<level> [<minlevel>]] } |
Configures the target log server. By default, logging from the filter is not permitted. Optional. The syntax and parameters are the same as for HAProxy Enterprise logs. |
log-format <string> |
Specifies the log format string to use for the filter’s logs. For the log string, standard formats available for defining logs can be used. The default log format, if not explicitly defined, is %ci:%cp [%t] %ft. When logging, the prefix [SSLCRL]: <filter-id> and postfix <reason> are added to the log message. Optional. |
option disabled |
At HAProxy startup, start the filter in the disabled state. By default, the filter is on if specified in a listen, frontend, or backend section. Optional. |
option dontlog-normal |
In the case that logging in the filter is turned on, normal operation is not logged. Optional. |
option hard-errors |
In case an error occurred during the operation of the filter, the filter is temporarily (for that connection) turned off. Optional. |
check-interval <value> |
The frequency of SSL certificate validity checks. This is the maximum amount of time after which a revoked certificate causes the connection to be terminated. Default: 1 second. Optional. |
Runtime API command reference Jump to heading
After starting the HAProxy Enterprise process, it is possible to manage the SSL-CRL filters using the Runtime API. This section describes the available commands.
Important
Changing filter parameters does not affect connections that are already established. Changes only apply to connections established after the change.
sslcrl add-crls Jump to heading
Syntax
sslcrl add-crls [on|off]
Description
Show or set the current sslcrl add-crls parameter setting, which determines whether existing CRLs are deleted when new ones are loaded. Optionally, specify on or off to set the parameter. By default, sslcrl add-crls is off, which means existing CRLs are deleted when new ones are loaded.
Example
Add new CRLs without deleting old ones:
nix
nix
sslcrl check-interval Jump to heading
Syntax
sslcrl check-interval [<value> <id>]
Description
Show or set the SSL certificate validation intervals for filters. The interval determines how often the validity of SSL certificates (client and server) is checked. Optionally, specify an interval and filter ID. The set value must be in milliseconds, between 1000 and 100000. Default: 1000.
Examples
Show check-interval for all SSL-CRL configurations:
nix
nix
outputtext
outputtext
Set the check-interval for SSL-CRL configuration sslcrl-prod-1 to 10 seconds:
nix
nix
outputtext
outputtext
sslcrl disable Jump to heading
Syntax
sslcrl disable <filter-id>
Description
Disable the SSL-CRL filter named <filter-id>.
Example
Disable the SSL-CRL filter named sslcrl-prod-1.
nix
nix
sslcrl enable Jump to heading
Syntax
sslcrl enable <filter-id>
Description
Enable the SSL-CRL filter named <filter-id>.
Example
Enable the SSL-CRL filter named sslcrl-prod-1.
nix
nix
sslcrl hard-errors Jump to heading
Syntax
sslcrl hard-errors <filter-id>
Description
Enable hard-errors mode. In this mode, in the event of an error occurring in the operation of the SSL-CRL filter, the filter is turned off and does not affect the further operation of the stream.
Example
Enable hard-errors mode on the filter named sslcrl-prod-1.
nix
nix
sslcrl logging Jump to heading
Syntax
sslcrl logging [<state> <filter-id>]
Description
Show the current logging state, where state may be off, on, or dontlog-normal (log only errors). Optionally, set the logging state of the specified filter.
Examples
Show logging state:
nix
nix
outputtext
outputtext
Disable logging for SSL-CRL filter configuration sslcrl-prod-1:
nix
nix
outputtext
outputtext
sslcrl soft-errors Jump to heading
Syntax
sslcrl soft-errors <filter-id>
Description
Restore soft-errors mode (that is, turn off hard-errors mode) for the specified SSL-CRL filter configuration. In this mode, filter errors are logged, but the operation of the filter is not interrupted.
Example
Restore soft-errors mode on the filter named sslcrl-prod-1.
nix
nix
sslcrl status Jump to heading
Syntax
sslcrl status [<filter-id>]
Description
Show the status of all SSL-CRL filter configurations. Optionally, specify a single filter configuration.
Example
Show the status of the filter named sslcrl-prod-1.
nix
nix
See also Jump to heading
Do you have any suggestions on how we can improve the content of this page?
