The HAProxy 1.5 branch has SSL support built-in, so you don’t need stunnel or other SSL-termination helpers now.
I tested SSL Server Name Indication (SNI) functionality with HAProxy 1.5.10, OpenSSL 1.0.2 and two SSL certificates (GeoTrust from Namecheap.com) on 3 Dell 1950 servers and it worked fine for me. HAProxy ran on one server and the others ran Apache HTTPD using virtual servers for each domain being load balanced.
SNI lets you use one IP address with multiple SSL certificates. For each site, you just create a single PEM file with key, crt and chain entries, in that exact order. Using SNI reduces the number of IP addresses you need, and also avoids having a separate stunnel process for each SSL certificate.
SNI works fine with most desktop browsers since 2003, but not IE8 or older on Windows XP. Also, custom client applications and embedded devices that use SSL may be confused with SNI. I noticed that the Nagios plugin cannot see the second certificate, even with -H hostname specified.
For GeoTrust certs for Apache+OpenSSL as of Feb. 15 2015, the correct installation of the 4 certificates is:
cat server.key server.crt rapidssl_cabundle.crt >server.pem
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
- note that haproxy prints a general error message of “unable to load SSL private key from PEM file”, regardless if it’s a missing filename, incorrect file permissions or incorrectly formatted certificates, so check the filename and permissions first.
- ensure there’s no malformed header (dashed) lines and delete blank lines
- OpenSSL certs are in PEM format by default, so there’s no need to convert them. (Usually it’s Windows users who have to do PEM conversion.)
- After haproxy starts, it’s important to verify the certificate chain. Use sslchecker.com and use the Chain Details button to see the intermediate and root certificate names and dates.
A new section in haproxy.cfg is needed to listen on port 443:
bind *:443 ssl crt /etc/ssl/server1.pem crt /etc/ssl/server2.pem
reqadd X-Forwarded-Proto:\ https
For CentOS 5 users, SNI requires you to build haproxy from source with a newer version of OpenSSL statically. The README tells you how to do that. Use the latest version of OpenSSL to avoid errors about missing function names.
./config --prefix=$STATICLIBSSL no-shared
make && make test && make install
make TARGET=linux26 USE_OPENSSL=1 SSL_INC=$STATICLIBSSL/include SSL_LIB=$STATICLIBSSL/lib ADDLIB=-ldl
service haproxy stop
service haproxy start
For those upgrading from previous versions of haproxy, old .cfg files should still work, but warnings are emitted for timeout settings, as they have been renamed in 1.5:
service haproxy start
| While not properly invalid, you will certainly encounter various problems
| with such a configuration. To fix this, please ensure that all following
| timeouts are set to a non-zero value: 'client', 'connect', 'server'.
1.5 has only been GA since June 2014, so ensure you test it adequately for your requirements and keep an eye on the changelog.
SO: Configure multiple SSL certificates in Haproxy
HAProxy and SNI-based SSL offloading with intermediate CA
blog.haproxy.com: Enhanced SSL load-balancing with Server Name Indication (SNI) TLS extension
blog.haproxy.com: How to get SSL with HAProxy getting rid of stunnel, stud, nginx or pound
sslmate.com: Buy SSL certs from the command line
How exactly does AES-NI work?