HaProxy
haproxy.cfg
global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy user haproxy group haproxy maxconn 10000 daemon tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
defaults
log global
maxconn 10000
mode http
option dontlognull
option httpclose
option httpchk
option redispatch
retries 3
timeout check 10000
timeout client 150000
timeout connect 4000
timeout server 30000
frontend www
bind *:80
option forwardfor
default_backend web
frontend www_ssl bind *:80 # You can replace the * with the public IP
bind *:443 ssl crt /etc/haproxy/ssl/wildcard.domain.pem no-sslv3
reqadd X-Forwarded-Proto:\ https
redirect scheme https code 301 if !{ ssl_fc }
option forwardfor default_backend web
frontend frontend666
bind *:666
mode tcp
default_backend backend_666
backend web mode http balance roundrobin server web1 192.168.1.100:8080 server web2 192.168.1.101:8080
backend backend_666
server web1 192.168.1.100:666 server web2 192.168.1.101:666
The LB will be listen on *:80 named "www" - and will send the traffic to the backend named "web", the * can be changed to a public IP.
SSL Offloading
SSL pem file need to be in the folowing format: (.crt - .key - ca bundle).
reqadd X-Forwarded-Proto:\ https: Adds a HTTP header to the request, indicating to the back-end
application that the original request was over TLS, even though the proxy is connecting to the servers over
plain TCP on port 80.
For SNI-enabled frontends, simply add multiple crt entries, for example:
bind PUBLIC_IP:443 ssl crt /etc/haproxy/ssl/firstdomain.pem crt /etc/haproxy/ssl/seconddomain.pem no-sslv3