SSL/TLS Termination with HAProxy

SSL/TLS Termination with HAProxy

SSL termination at the load balancer offloads encryption from backend servers, simplifies certificate management, and enables HTTP-level inspection for routing and security rules.

Certificate Setup with Let's Encrypt

# Install certbot
sudo apt install certbot

# Generate certificate (standalone mode, HAProxy must be stopped briefly)
sudo certbot certonly --standalone -d example.com -d www.example.com

# Combine cert and key for HAProxy (HAProxy needs them in a single PEM file)
sudo cat /etc/letsencrypt/live/example.com/fullchain.pem \
         /etc/letsencrypt/live/example.com/privkey.pem \
         > /etc/haproxy/certs/example.com.pem

HAProxy SSL Frontend

frontend https_front
    bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
    
    # Force HTTPS
    http-request redirect scheme https unless { ssl_fc }
    
    # HSTS header
    http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
    
    # Forward SSL info to backends
    http-request set-header X-Forwarded-Proto https
    http-request set-header X-SSL-Client-Verify %[ssl_fc_has_crt]
    
    default_backend web_servers

Auto-Renewal with Certbot

# /etc/cron.d/certbot-haproxy
0 3 * * * root certbot renew --deploy-hook "cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem > /etc/haproxy/certs/example.com.pem && systemctl reload haproxy"

SSL Security Best Practices

• Disable TLS 1.0/1.1: ssl-default-bind-options ssl-min-ver TLSv1.2
• Use strong cipher suites (ECDHE + AES-GCM)
• Enable OCSP stapling for faster certificate validation
• Test with SSL Labs: aim for A+ rating

Eazy SaaS Tip: Use the crt /etc/haproxy/certs/ directory syntax (with trailing slash) to automatically load all certificates in the directory. HAProxy matches the right cert based on SNI — perfect for multi-domain setups.