HAProxy ALOHA Documentation 11.5

Encryption Strategies

HAProxy ALOHA supports three ways of securing traffic with TLS certificates.

  • TLS offloading

  • TLS passthrough

  • TLS bridging (re-encryption)

TLS offloading

https://cdn.haproxy.com/documentation/aloha/11-5/assets/tls-offloading-902f9683632cefc0eaf1d63c4cd26c4138bdb0afc005b28c3270b960f9b8af1d.png

With TLS offloading, HAProxy ALOHA encrypts messages between itself and the client, and then relays messages in the clear to backend servers over your internal network. This lets you store SSL/TLS certificates and keys on the HAProxy ALOHA only, rather than on multiple backend servers, which promotes better security and less processing on the servers.

You can use mode tcp or mode http.

  1. On the LB Layer7 tab, add a bind line that listens on port 443 to the frontend or listen section for which you want to enable TLS.

    • Set the ssl argument.

    • Set the crt argument to the name of a certificate that you have defined on the SSL tab.

  2. If you are using mode http, then you can add an http-request redirect line that automatically redirects HTTP traffic to HTTPS.

The frontend listens on port 80 for HTTP traffic and port 443 for HTTPS traffic. We are using the certificate named myapp. The http-request redirect line redirects HTTP traffic to HTTPS automatically.

frontend ft_myapp
  mode http
  bind :80
  bind :443 ssl crt myapp

  # Redirect HTTP to HTTPS (works with 'mode http' only)
  http-request redirect scheme https code 301 unless { ssl_fc }

  default_backend bk_myapp

backend bk_myapp
  mode http
  server s1 10.0.0.11:80 check
  server s2 10.0.0.12:80 check

TLS passthrough

https://cdn.haproxy.com/documentation/aloha/11-5/assets/tls-passthrough-14f173f148008c2abdc26b895f7194384b9bce94c08cdaf139686be963d891ab.png

With TLS passthrough, HAProxy ALOHA does not manage TLS at all, but instead relays TLS-encrypted traffic through to backend servers. The servers are responsible for handling TLS encryption and decryption.

HAProxy ALOHA opens a TCP tunnel between the client and the server to let them negotiate and handle the TLS traffic.

You can use mode tcp.

  • On the LB Layer7 tab, add a bind line that listens on port 443 to the frontend or listen section for which you want to enable TLS.

    The frontend listens on port 443 for HTTPS traffic, but does not decipher the TLS. The backend servers handle the encryption and decryption. Because the frontend uses mode tcp, it cannot do an HTTP redirect from HTTP to HTTPS.

    frontend ft_myapp
      mode tcp
      bind :443
      default_backend bk_myapp
    
    backend bk_myapp
      mode tcp
      server s1 10.0.0.11:443 check
      server s2 10.0.0.12:443 check

TLS bridging (re-encryption)

https://cdn.haproxy.com/documentation/aloha/11-5/assets/tls-bridging-5469b26e55e92e0cd318f91fca272cad92a415a9a49e4340bb2dec1c0b2870fc.png

With TLS bridging, HAProxy ALOHA encrypts messages between itself and the client, and also encrypts messages relayed to backend servers. TLS certificates must be stored on both the HAProxy ALOHA and the servers.

You can use mode tcp or mode http.

  1. On the LB Layer7 tab, add a bind line that listens on port 443 to the frontend or listen section for which you want to enable TLS.

    • Set the ssl argument.

    • Set the crt argument to the name of a certificate that you have defined on the SSL tab.

  2. If you are using mode http, then you can add an http-request redirect line that automatically redirects HTTP traffic to HTTPS.

  3. Set the ssl argument on the server lines in the backend, which indicates that HAProxy ALOHA connects to the servers over HTTPS.

TLS bridging to encrypt messages end-to-end.

frontend ft_myapp
  mode http
  bind :80
  bind :443 ssl crt myapp

  # Redirect HTTP to HTTPS (works with 'mode http' only)
  http-request redirect scheme https code 301 unless { ssl_fc }

  default_backend bk_myapp

backend bk_myapp
  mode http
  server s1 10.0.0.11:443 ssl check
  server s1 10.0.0.12:443 ssl check

Next up

Advanced TLS Options