HaProxy
vim /etc/haproxy/haproxy.cfgIn the example bellow you will find a acceptable cipher, how to add a cookie session on HA, SSL offloading,
global
log /dev/log127.0.0.1 local0 noticewarning
maxconn 10000
user haproxy
group haproxy
maxconndaemon
10000spread-checks daemon5
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
defaults
log global
option dontlognull
retries 3
option redispatch
maxconn 10000
mode http
option dontlognull
option httpclose
option httpchk
optiontimeout redispatchconnect retries5000ms
3timeout client 150000ms
timeout server 30000ms
timeout check 100001000
timeoutlisten clientlb_stats
150000bind timeout{PUBLIC connectIP}:80
4000mode timeouthttp
balance roundrobin
server 30000web1 127.0.0.1:80
stats uri /
stats realm "HAProxy Stats"
stats auth admin:FsoqyNpJAYuD
frontend www_sslfrontend_{PUBLIC IP}_https
mode http
bind IP-ADDR:80{PUBLIC bind IP-ADDR:IP}:443 ssl crt /etc/haproxy/ssl/wildcard.domain.com.pem no-sslv3
reqadd X-Forwarded-Proto:\ https
redirect scheme https code 301 if !{ ssl_fc }
option forwardfor
default_backend web
frontend frontend666
bind IP-ADDR:666
mode tcp
default_backend backend_666
backend web
mode http
option forwardfor
http-request add-header X-CLIENT-IP %[src]
balanceoption roundrobinforwardfor
default_backend backend_cluster_http_web1_web2
frontend frontend_{PUBLIC IP}_http
mode http
bind {PUBLIC IP}:80
reqadd X-Forwarded-Proto:\ https
http-request add-header X-CLIENT-IP %[src]
option forwardfor
default_backend backend_cluster_http_web1_web2
frontend frontend_www_custom
mode http
bind {PUBLIC IP}:666
reqadd X-Forwarded-Proto:\ https
http-request add-header X-CLIENT-IP %[src]
option forwardfor
default_backend backend_cluster_http_web1_web2
backend backend_cluster_http_web1_web2
cookie ASP.NET_SessionIdSERVERID insert indirect nocache
option httpchk HEAD /
server web1 10.1.2.100:80 weight 1 check cookie srv1web1 inter 1000 rise 5 fall 1
server web2 10.1.2.101:80 weight 1 check cookie srv2web2 inter 1000 rise 5 fall 1
backend backend_666
server web1 10.1.2.100:8080
server web2 10.1.2.101:8080The LB will be listen on public_IP:80 named "www" - and will send the traffic to the backend named "web".
Enable xforward on httpd.conf
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " combine
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" combined-forwardedSSL Offloading
SSL pem file need to be in the folowing format: (.crt - .key - ca bundle).
reqadd X-Forwarded-Proto:\ https: Adds a HTTP header to the request, indicating to the back-endapplication that the original request was over TLS, even though the proxy is connecting to the servers overplain TCP on port 80.
For SNI-enabled frontends, simply add multiple crt entries, for example:
bind IP-ADDR:443 ssl crt /etc/haproxy/ssl/firstdomain.pem crt /etc/haproxy/ssl/seconddomain.pem no-sslv3 Cookie
It is also possible to use the session cookie provided by the backend server.Editing the backend part of /etc.haproxy/haproxy.conf :
backend www
balance roundrobin
mode http
cookie PHPSESSID prefix indirect nocache
server web1 10.1.2.100:80 check cookie srv1web1
server web2 10.1.2.101:80 check cookie srv2web2In this example we will intercept the PHP session cookie and add / remove the reference of the backend server.
The prefix keyword allows you to reuse an application cookie and prefix the server identifier,
then delete it in the following queries.
Default name of cookies by type of feeder backend:
Java : JSESSIONID
ASP.Net : ASP.NET_SessionId
ASP : ASPSESSIONID
PHP : PHPSESSID
httpchk
backend https_relay
mode tcp
option httpchk HEAD * HTTP/1.1\r\nHost:\ domain.com
server apache1 192.168.1.1:443 check port 80--
Test config file:
haproxy -c -V -f /etc/haproxy/haproxy.cfgDoc
https://cbonte.github.io/haproxy-dconv/