9

I'm working to configure HAProxy such that it will terminate the SSL so there's only one place to configure the purchased SSL cert. However, I'd prefer that the connection to the backend servers also be encrypted with SSL.

One suggestion I found is to create self-signed certs on the backend servers and then on each server line, set "verify none". ... So the connection from the browser to HAProxy would be using the official purchased SSL cert, but the connection to HAProxy to the backend servers would be using self-signed certs. The benefit of self-signed certs is that they are free, they don't require updates and maintenance (I can set the expiration far in the future and avoid having to install new ones each year). However, understandably, this opens the backends up for MITM attacks and isn't recommended by some sources that I've read.

Can I configure HAProxy so that I can use self-signed certs on the backend servers, but perhaps somehow whitelist the self-signed certificate on the HAProxy server? ... so the HAProxy to backend connection would be encrypted, it would not be vulnerable to MITM attacks, and HAProxy would know to trust the self-signed certificate from the backend servers.

Is what I'm describing possible? I'm new to HAProxy SSL termination, so any advice is appreciated.

The relevant parts of my configuration are as follows: 

frontend www-in
    bind *:80
    bind *:443 ssl crt /etc/ssl-keys/my-public-ssl-key.pem no-sslv3

    mode http
    default_backend https-backend
    # force redirect to https
    redirect scheme https if !{ ssl_fc }

backend https-backend
    balance leastconn
    server web1 1.1.1.1:443 check ssl verify none
    server web2 2.2.2.2:443 check ssl verify none

    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
Joe J
  • 233
  • 1
  • 2
  • 6
  • 2
    I'll have to look this up, but in the back of my mind, I *think* you can lock down a back-end SSL connection to a single self-signed server cert by simply using the server's certificate on the proxy as the `ca-file` on the `server` config line. MITM would require the would-be attacker to have the matching private key (which would only be on the server, not the proxy), since no other cert would be accepted. I'll try to verify that. – Michael - sqlbot Nov 13 '15 at 01:36

1 Answers1

7

The question is not really linked to HAProxy, but to managing certs and certificate authorities in general.

Not sure which OS you're using, because you didn't state this, but if it's some Linux flavor (albeit the following applies to Debian and derivatives):

  • Make sure you've the package ca-certificates installed.

  • You're creating your certs using your own certificate authority (ca).

  • Take the your ca root cert of this ca and put it inside /usr/local/share/ca-certificates/name-of-your-ca/. (You might have to create the folder name-of-your-ca by yourself.) Ensure the your ca root cert has a .crt extension.

    (By default, /usr/local/share/ca-certificates/ is owned by root:staff, so use sudo or root to do this.)

  • Execute update-ca-certificates (via sudo / as root).

  • After execution, there should be a file /etc/ssl/cert/your-ca-root.pem symlinked to /usr/local/share/ca-certificates/name-of-your-ca/your-ca-root.crt.

  • Enable verification in HAProxy and profit.

Community
  • 1
gxx
  • 5,591
  • 2
  • 22
  • 42