Linux Commands

How to Implement SSL Passthrough in HAProxy

Balancing the load directed to your web servers is one way of ensuring that you don’t get a case of downtime. A reliable way of balancing the load is using a load balancer, and HAProxy is an ideal option. With it, you can configure how you want to balance the load while implementing the SSL passthrough to ensure that you secure the traffic between the client and the servers.

This post begins by discussing why implementing the SSL passthrough in HAProxy is essential. We then discuss the steps to follow to implement it with an example for easy understanding.

What Is SSL Passthrough and Why Is It Essential?

As a load balancer, HAProxy takes the load directed to your web server and distributes it across the configured servers. The load that is being distributed is the traffic that is shared between the client devices and the backend servers. Security is essential when load balancing, and that’s where SSL passthrough comes into play.

Ideally, SSL passthrough involves forwarding the SSL/TLS traffic to your web server and distributing it to the configured servers without terminating the SSL/TLS connection at the HAProxy or any other load balancer that you are using. With SSL passthrough, you will enjoy a better end-to-end encryption, and the client’s original IP address will be preserved. Moreover, it’s a recommended security measure and it creates a better backend server flexibility, reducing the overload on HAProxy.

Step-by-Step Guide on How to Implement the SSL Passthrough in HAProxy

Having understood what SSL passthrough means and why you need it, the next task is to provide the steps that you should follow to implement it in your HAProxy load balancer. Follow the given steps and quickly implement the SSL passthrough on your HAProxy load balancer.

Step 1: Install HAProxy

Suppose you don’t have HAProxy installed. The first step is to install it before we configure it to implement the SSL passthrough. Therefore, start by updating your repository.

$ sudo apt update

Next, install HAProxy from the default repository with the following command. Note that we are using Ubuntu for this case:

$ sudo apt install haproxy

Once you have HAProxy installed, you are ready to implement the SSL passthrough. Read on!

Step 2: Implement the SSL Passthrough in HAProxy

For this step, we must access the HAProxy configuration file located in the “/etc/haproxy” and edit it to specify how we want to implement the SSL passthrough. You can open the config file with any text editor. We used nano for this demonstration.

$ sudo nano /etc/haproxy/haproxy,cfg

Once you access the config file, there are two sections that you must create: the “frontend” and the “backend”. In the “frontend”, that’s where you specify which port to bind for connections. Again, you must specify which protocol to use and which backend servers to use to distribute the traffic.

For this case, since we want to secure the traffic, we will bind port 443 which is for HTTPS connections. Again, we specify that we want to accept the TCP mode for HAProxy to operate at the transport layer.

We also add the “tcp-request” line as a rule that specifies the duration for which to inspect the SSL “hello” messages to verify that we are accepting the SSL traffic. Lastly, we specify the backend server to use for load distribution. Our final “frontend” section is as follows:

For the “backend” section, we set the mode to TCP. We then specify the IP addresses for the servers that we use for the load balancing. Ensure that you replace these IPs to match those of your live servers and set the connection port to 443.

The “option tcplog” is added to allow the logging of issues related to TCP in the log file that is included in the “global” section of the config file.

Step 3: Restart HAProxy and Test the Configuration

Once you edited the HAProxy config file, save it and exit. Restart the HAProxy service for the changes to apply.

That’s it! We implemented the SSL passthrough in HAProxy. Try sending a traffic to your web server using a command like curl and see how it responds. If the SSL passthrough is implemented successfully, you will get an output showing that the connection is made via port 443, and you will get connected to the backend server. Your server will respond with the required details and give a 200-status response.

Conclusion

Implementing the SSL passthrough helps with creating an end-to-end encryption and ensuring that your SSL/TLS connection is maintained as the load balancing occurs. To implement the SSL passthrough in HAProxy, install HAProxy and edit the configuration file to specify how you want the load balancing to occur. Refer to the presented example to understand the process better.

About the author

Denis Kariuki

Denis is a Computer Scientist with a passion for Networking and Cyber Security. I love the terminal, and using Linux is a hobby. I am passionate about sharing tips and ideas about Linux and computing.