====== SSL ======
※Ver1.5以降でSSL正式サポート(要ソースからインストール)
===== SSL有効化 =====
ビルド時にspecファイルを編集してオプションを設定する
# cp -r ./haproxy-1.6.5/examples/haproxy.spec ./haproxy-1.6.5/examples/haproxy.spec.org
# vi ./haproxy-1.6.5/examples/haproxy.spec
36c36
< %{__make} USE_PCRE=1 DEBUG="" ARCH=%{_target_cpu} TARGET=linux26 USE_OPENSSL=1
---
> %{__make} USE_PCRE=1 DEBUG="" ARCH=%{_target_cpu} TARGET=linux26
===== 確認 =====
インストール後にhaproxyの詳細情報からOpenSSLが有効になっていることを確認
# haproxy -vv
HA-Proxy version 1.6.5 2016/05/10
Copyright 2000-2016 Willy Tarreau
Build options :
TARGET = linux26
CPU = generic
CC = gcc
CFLAGS = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
OPTIONS = USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built without compression support (neither USE_ZLIB nor USE_SLZ are set)
Compression algorithms supported : identity("identity")
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 7.8 2008-09-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
===== 設定例 =====
frontend sub
bind :443 ssl crt /etc/haproxy/ssl/cert.pem
/etc/haproxy/ssl/cert.pem
中間証明書やクロスルート証明書を含めて、以下のように纏める。
-----BEGIN CERTIFICATE-----
証明書
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
中間証明書
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
クロスルート証明書
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
秘密鍵
-----END RSA PRIVATE KEY-----
===== chipersなど =====
frontend sub
bind :443 ssl crt /etc/haproxy/ssl/cert.pem no-sslv3 ciphers EECDH+AESGCM:EECDH+AES:EDH+AES:!DSS
reqadd X-Forwarded-Proto:\ https