Skip to main content

HaProxy

haproxy.cfg

global
        log /dev/log local0
        log /dev/log local1 notice
        chroot  /var/lib/haproxy
        user    haproxy
        group   haproxy
        maxconn 10000
        daemon
        tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
defaults
log global
maxconn 10000
mode http
option dontlognull
option httpclose
option httpchk
option redispatch
retries 3
timeout check 10000
timeout client 150000
timeout connect 4000
timeout server 30000
frontend www
bind public_IP:80
option forwardfor
default_backend web
frontend www_ssl bind pubic_IP:80 # You can replace the * with the public IP
bind public_IP:443 ssl crt /etc/haproxy/ssl/wildcard.domain.pem no-sslv3
reqadd X-Forwarded-Proto:\ https
redirect scheme https code 301 if !{ ssl_fc }
option forwardfor default_backend web

frontend frontend666
bind public_IP:666
mode tcp
default_backend backend_666
backend web mode http balance roundrobin server web1 192.168.1.100:8080 server web2 192.168.1.101:8080

 backend backend_666
server web1 192.168.1.100:666 server web2 192.168.1.101:666

The  LB will be listen on public_IP:80 named "www" - and will send the traffic to the backend named "web".

SSL Offloading

SSL pem file need to be in the folowing format: (.crt - .key - ca bundle).

reqadd X-Forwarded-Proto:\ https: Adds a HTTP header to the request, indicating to the back-end
application that the original request was over TLS, even though the proxy is connecting to the servers over
plain TCP on port 80.

For SNI-enabled frontends, simply add multiple crt entries, for example:
bind PUBLIC_IP:443 ssl crt /etc/haproxy/ssl/firstdomain.pem crt /etc/haproxy/ssl/seconddomain.pem no-sslv3