{"id":3603,"date":"2019-07-13T00:06:14","date_gmt":"2019-07-12T21:06:14","guid":{"rendered":"https:\/\/kifarunix.com\/?p=3603"},"modified":"2020-06-06T09:55:11","modified_gmt":"2020-06-06T06:55:11","slug":"configure-haproxy-with-ssl-on-ubuntu-18-04-debian-10-9","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-haproxy-with-ssl-on-ubuntu-18-04-debian-10-9\/","title":{"rendered":"Configure HAProxy Load Balancer with SSL on Ubuntu 18.04\/Debian 10\/9"},"content":{"rendered":"\n<p>In this guide, we are going to learn how to configure HAProxy load balancer with SSL on Ubuntu 18.04\/Debian 10\/9. <a rel=\"noreferrer noopener\" aria-label=\"HAProxy (opens in a new tab)\" href=\"http:\/\/www.haproxy.org\/\" target=\"_blank\">HAProxy<\/a> is the de-factor opensource solution providing very fast and reliable high availability,&nbsp;load balancing and proxying for TCP and HTTP-based applications. As such, HAProxy is suited for very high traffic web sites.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configure HAProxy Load Balancer with SSL on Ubuntu 18.04\/Debian 10\/9<\/h2>\n\n\n\n<p>In this guide, we are going to demonstrate how HAProxy performs load balancing using three web servers serving simple html pages. Our architecture looks like in the diagram below;<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/07\/HAProxy-architecture.png\"><img loading=\"lazy\" decoding=\"async\" width=\"474\" height=\"427\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/07\/Haproxy-architecture.png\" alt=\"Configure HAProxy Load Balancer with SSL on Ubuntu 18.04\/Debian 10\/9\" class=\"wp-image-3606\" title=\"\"><\/a><\/figure><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Install HAProxy on Ubuntu 18.04\/Debian 10\/Debian 9<\/h3>\n\n\n\n<p>Run system update.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update\napt upgrade<\/code><\/pre>\n\n\n\n<p>Once the update is done, proceed to install HAProxy on your Ubuntu\/Debian systems.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Create HAProxy Repository<\/h3>\n\n\n\n<p>There are different HAProxy packages for each system. Hence, you need to create dedicated repository for each system.<\/p>\n\n\n\n<p>Before you can create the repos, install the APT signing Key.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install curl -y\ncurl https:\/\/haproxy.debian.net\/bernat.debian.org.gpg | apt-key add -<\/code><\/pre>\n\n\n\n<p>Next, create HAProxy repositories. On Debian 10 Buster\/Debian 9 Stretch, run the command below to create the repo.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"deb http:\/\/haproxy.debian.net $(lsb_release -cs)-backports-2.0 main\" | tee \/etc\/apt\/sources.list.d\/haproxy.list<\/code><\/pre>\n\n\n\n<p>On Ubuntu 18.04, you need to add the vbernat haproxy PPA repos as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install software-properties-common\nadd-apt-repository ppa:vbernat\/haproxy-2.0<\/code><\/pre>\n\n\n\n<p>Once the repos are created on each system, perform system update and install HAProxy.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update\napt install haproxy=2.0.\\*<\/code><\/pre>\n\n\n\n<p>To check the version of installed HAProxy, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>haproxy -v<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>HA-Proxy version 2.0.1-1~bpo9+1 2019\/06\/27 - https:\/\/haproxy.org\/<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure HAProxy Load Balancer on Ubuntu 18.04\/Debian 10\/9<\/h3>\n\n\n\n<p>Configuration of HAProxy is all about where it is listening for connection requests and where to forward such requests to. It is therefore made up of frontend system and one or more back-end systems. The front-end system defines the IP address and port on which the proxy listens as well as the back-end systems to use for a particular proxy.<\/p>\n\n\n\n<p>The main configuration file for HAProxy is <strong>\/etc\/haproxy\/haproxy.cfg<\/strong>.<\/p>\n\n\n\n<p>The HAProxy configuration file is made up of four sections;<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><code>global<\/code><br>The global section defines process-wide security and performance tunings that affect HAProxy at a low level.<br><\/li><li><code>defaults<\/code><br>The global section defines the configuration settings that are applied to all of the&nbsp;<code>frontend<\/code>&nbsp;and&nbsp;<code>backend<\/code>&nbsp;sections. You can define multiple default sections but the sub-sequent defaults sections override that came before it.<br><\/li><li><code>frontend<\/code><br>When HAProxy is placed as a reverse proxy, the <code>frontend<\/code> section defines the IP addresses and ports that clients can connect to.<br><\/li><li><code>backend<\/code><br>The backend section defines the group of servers that will be load balanced and assigned to handle requests.<\/li><\/ul>\n\n\n\n<p>The <code>frontend<\/code>&nbsp;and&nbsp;<code>backend<\/code>&nbsp;sections can be combined using the<code> listen<\/code> section. It can also be used to server <a href=\"https:\/\/www.haproxy.com\/blog\/exploring-the-haproxy-stats-page\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"HAProxy statistics page (opens in a new tab)\">HAProxy statistics page<\/a>.<\/p>\n\n\n\n<p>To read more on the explanation of HAProxy configuration sections, check <a href=\"https:\/\/www.haproxy.com\/blog\/the-four-essential-sections-of-an-haproxy-configuration\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"here (opens in a new tab)\">here<\/a>.<\/p>\n\n\n\n<p>Before we can begin any configuration, let us create a backup of the configuration file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp \/etc\/haproxy\/haproxy.cfg{,.bak}<\/code><\/pre>\n\n\n\n<p>The default HAProxy configuration contain the default configuration settings for the <code>global<\/code>&nbsp;and&nbsp;<code>default<\/code> section.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>global\n        log \/dev\/log    local0\n        log \/dev\/log    local1 notice\n        chroot \/var\/lib\/haproxy\n        stats socket \/run\/haproxy\/admin.sock mode 660 level admin expose-fd listeners\n        stats timeout 30s\n        user haproxy\n        group haproxy\n        daemon\n\n        # Default SSL material locations\n        ca-base \/etc\/ssl\/certs\n        crt-base \/etc\/ssl\/private\n\n        # Default ciphers to use on SSL-enabled listening sockets.\n        # For more information, see ciphers(1SSL). This list is from:\n        #  https:\/\/hynek.me\/articles\/hardening-your-web-servers-ssl-ciphers\/\n        # An alternative list with additional directives can be obtained from\n        #  https:\/\/mozilla.github.io\/server-side-tls\/ssl-config-generator\/?server=haproxy\n        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS\n        ssl-default-bind-options no-sslv3\n        ## Add the line below\n        tune.ssl.default-dh-param 2048\n\ndefaults\n        log     global\n        mode    http\n        option  httplog\n        option  dontlognull\n        timeout connect 5000\n        timeout client  50000\n        timeout client  50000\n        timeout server  50000\n        errorfile 400 \/etc\/haproxy\/errors\/400.http\n        errorfile 403 \/etc\/haproxy\/errors\/403.http\n        errorfile 408 \/etc\/haproxy\/errors\/408.http\n        errorfile 500 \/etc\/haproxy\/errors\/500.http\n        errorfile 502 \/etc\/haproxy\/errors\/502.http\n        errorfile 503 \/etc\/haproxy\/errors\/503.http\n        errorfile 504 \/etc\/haproxy\/errors\/504.http<\/code><\/pre>\n\n\n\n<p>We are going to leave this settings just the way they are and add the our configurations for the&nbsp;<code>frontend<\/code>&nbsp;and&nbsp;<code>backend<\/code>&nbsp;sections. However, you can add the line <code>tune.ssl.default-dh-param 2048<\/code> to the <strong>global<\/strong> section which sets the maximum size of the Diffie-Hellman parameters used for generating the ephemeral\/temporary Diffie-Hellman key in case of DHE key exchange.<\/p>\n\n\n\n<p> <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Configure HAProxy with SSL on Ubuntu 18.04\/Debian 10\/9<\/h3>\n\n\n\n<p>As stated above,&nbsp;<code>frontend<\/code>&nbsp;section defines the IP address on which to listen for connection requests.<\/p>\n\n\n\n<p>Since we are configuring HAProxy with SSL, you need to generate the SSL\/TLS certificates. This guide uses self-signed certificates. You can get your own from a trusted CA.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Generating Self-Signed SSL Certificates for HAProxy<\/h4>\n\n\n\n<p>Begin with generating private key.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl genrsa -out \/etc\/ssl\/private\/haproxy.key 2048<\/code><\/pre>\n\n\n\n<p>Next, generate the Certificate signing request (CSR).<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl req -new -key \/etc\/ssl\/private\/haproxy.key -out \/etc\/ssl\/certs\/haproxy.csr<\/code><\/pre>\n\n\n\n<p>Create the Self Signed Certificate (CRT)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl x509 -req -days 365 -in \/etc\/ssl\/certs\/haproxy.csr -signkey \/etc\/ssl\/private\/haproxy.key -out \/etc\/ssl\/certs\/haproxy.crt<\/code><\/pre>\n\n\n\n<p>Create SSL pem file by containing both the key and the certificate.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cat \/etc\/ssl\/private\/haproxy.key \/etc\/ssl\/certs\/haproxy.crt &gt;&gt; \/etc\/ssl\/certs\/haproxy.pem<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Define HAProxy Frontend Configuration Settings<\/h4>\n\n\n\n<p>Open the HAProxy configuration file and configure the frontend settings as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/haproxy\/haproxy.cfg<\/code><\/pre>\n\n\n\n<p>This is our frontend configuration basic settings.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>frontend lb_01\n    bind 192.168.43.62:443 ssl crt \/etc\/ssl\/certs\/haproxy.pem\n    default_backend webapp_backends<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>bind<\/strong> setting assigns a listener to a given IP address and port. <strong>ssl<\/strong> <strong>crt<\/strong> instructs HAProxy to use SSL. <\/li><li><code><strong>default_backend<\/strong><\/code>&nbsp;gives the name of a&nbsp;<code>backend<\/code>&nbsp;to send traffic to.<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Define HAProxy Backend Configuration Settings<\/h4>\n\n\n\n<p>In its basic configuration, out <strong>backend<\/strong> settings are defined below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>backend webapp_backends\n    balance roundrobin\n    server webapp_01.example.com  192.168.43.252:80 check\n    server webapp_02.example.com  192.168.43.174:80 check\n    server webapp_03.example.com  192.168.43.21:80 check<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>balance<\/strong> setting defines the load balancer scheduling algorithm.<ul><li><strong>roundrobin<\/strong> selects the servers in turns.<\/li><li>Other common algorithms is <strong>leastconn<\/strong> which enabled the load balancer to forward request to servers with least connections.<\/li><\/ul><\/li><li><strong>server<\/strong> setting specify the servers available in the back end.<ul><li><strong>check <\/strong>option enables health checks on the server such that if one of them is down, requests are directed to the available backend servers.<\/li><\/ul><\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Enable HAProxy Statistics via Web <\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>listen stats\n    bind 192.168.43.62:443 ssl crt \/etc\/ssl\/certs\/haproxy.pem\n    stats enable                    # enable statistics reports  \n    stats hide-version              # Hide the version of HAProxy\n    stats refresh 30s               # HAProxy refresh time\n    stats show-node                 # Shows the hostname of the node\n    stats auth admin:P@ssword       # Authentication for Stats page\n    stats uri \/lb_stats             # Statistics URL<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Verify HAProxy Configuration<\/h4>\n\n\n\n<p>Once the configuration is done, you can run the command below to check the HAProxy configuration for any error.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>haproxy -c -f \/etc\/haproxy\/haproxy.cfg<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Configuration file is valid<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Running HAProxy<\/h4>\n\n\n\n<p>When installed, HAProxy is set to run by default. To restart and enable HAProxy to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart haproxy\nsystemctl enable haproxy<\/code><\/pre>\n\n\n\n<p>To check the status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status haproxy\n\u25cf haproxy.service - HAProxy Load Balancer\n   Loaded: loaded (\/lib\/systemd\/system\/haproxy.service; enabled; vendor preset: enabled)\n   Active: active (running) since Fri 2019-07-12 23:22:58 EAT; 5s ago\n     Docs: man:haproxy(1)\n           file:\/usr\/share\/doc\/haproxy\/configuration.txt.gz\n  Process: 10686 ExecStartPre=\/usr\/sbin\/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=0\/SUCCESS)\n Main PID: 10687 (haproxy)\n    Tasks: 2 (limit: 2340)\n   CGroup: \/system.slice\/haproxy.service\n           \u251c\u250010687 \/usr\/sbin\/haproxy -Ws -f \/etc\/haproxy\/haproxy.cfg -p \/run\/haproxy.pid -S \/run\/haproxy-master.sock\n           \u2514\u250010688 \/usr\/sbin\/haproxy -Ws -f \/etc\/haproxy\/haproxy.cfg -p \/run\/haproxy.pid -S \/run\/haproxy-master.sock<\/code><\/pre>\n\n\n\n<p>If UFW is running, Open port 443,<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw allow 443<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Verify HAProxy Load Balancing<\/h4>\n\n\n\n<p>Now that the configuration is done, you can access your HAProxy from web to see if it performs any round-robin load balancing using the address, <strong>https:\/\/&lt;haproxy-IP&gt;<\/strong>.<\/p>\n\n\n\n<p>The first page the loads shows content server from <strong>webapp_01<\/strong>. For this demo, we have three test html pages. When refreshed, content from other servers is shown.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/07\/haproxy_01.png\"><img loading=\"lazy\" decoding=\"async\" width=\"725\" height=\"123\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/07\/haproxy_01.png\" alt=\"Configure HAProxy with SSL on Ubuntu 18.04\/Debian 10\/9\" class=\"wp-image-3608\" title=\"\"><\/a><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/07\/haproxy_02.png\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"123\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/07\/haproxy_02.png\" alt=\"HAProxy with SSL\" class=\"wp-image-3609\" title=\"\"><\/a><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/07\/haproxy_03.png\"><img loading=\"lazy\" decoding=\"async\" width=\"723\" height=\"123\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/07\/haproxy_03.png\" alt=\"HAProxy Load Balancer on Ubuntu 18.04\/Debian 10 buster\" class=\"wp-image-3610\" title=\"\"><\/a><\/figure><\/div>\n\n\n\n<p>Well, as you can realize, the pages are served in order, one after the other. That is it on our basic tutorial on how to configure HAProxy Load Balancer with Self-Signed certificate on Ubuntu 18.04\/Debian 10\/Debian 9.<\/p>\n\n\n\n<p>You can read more about HAProxy and configuration options in the documentation page below;<\/p>\n\n\n\n<p><a href=\"https:\/\/cbonte.github.io\/haproxy-dconv\/2.0\/configuration.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"HAProxy Configuration Manual (opens in a new tab)\">HAProxy Configuration Manual<\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Related Tutorials<\/h4>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-haproxy-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup HAProxy on Ubuntu 20.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-haproxy-load-balancer-on-fedora-30-fedora-29\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Setup HAProxy Load Balancer on Fedora 30\/Fedora 29<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/how-to-install-and-configure-pound-apache-load-balancer-on-ubuntu-16-04\/\" target=\"_blank\">How to Install and Configure Pound as Apache HTTP Load balancer on Ubuntu 16.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to configure HAProxy load balancer with SSL on Ubuntu 18.04\/Debian 10\/9. HAProxy is the de-factor opensource<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[1032,121,92],"tags":[1025,997,287,1033,1034,95,165,67],"class_list":["post-3603","post","type-post","status-publish","format-standard","hentry","category-haproxy","category-howtos","category-load-balancers","tag-buster","tag-debian-10","tag-debian-9","tag-haproxy","tag-haproxy-with-ssl","tag-load-balancer","tag-ssl","tag-ubuntu-18-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3603"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=3603"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3603\/revisions"}],"predecessor-version":[{"id":6072,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3603\/revisions\/6072"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=3603"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=3603"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=3603"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}