※Ver1.5以降でSSL正式サポート(要ソースからインストール)
ビルド時にspecファイルを編集してオプションを設定する
# cp -r ./haproxy-1.6.5/examples/haproxy.spec ./haproxy-1.6.5/examples/haproxy.spec.org # vi ./haproxy-1.6.5/examples/haproxy.spec 36c36 < %{__make} USE_PCRE=1 DEBUG="" ARCH=%{_target_cpu} TARGET=linux26 USE_OPENSSL=1 --- > %{__make} USE_PCRE=1 DEBUG="" ARCH=%{_target_cpu} TARGET=linux26
インストール後にhaproxyの詳細情報からOpenSSLが有効になっていることを確認
# haproxy -vv HA-Proxy version 1.6.5 2016/05/10 Copyright 2000-2016 Willy Tarreau <willy@haproxy.org> Build options : TARGET = linux26 CPU = generic CC = gcc CFLAGS = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement OPTIONS = USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Encrypted password support via crypt(3): yes Built without compression support (neither USE_ZLIB nor USE_SLZ are set) Compression algorithms supported : identity("identity") Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 7.8 2008-09-05 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built without Lua support Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll.
frontend sub bind :443 ssl crt /etc/haproxy/ssl/cert.pem
/etc/haproxy/ssl/cert.pem
中間証明書やクロスルート証明書を含めて、以下のように纏める。
-----BEGIN CERTIFICATE----- 証明書 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- 中間証明書 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- クロスルート証明書 -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- 秘密鍵 -----END RSA PRIVATE KEY-----
frontend sub bind :443 ssl crt /etc/haproxy/ssl/cert.pem no-sslv3 ciphers EECDH+AESGCM:EECDH+AES:EDH+AES:!DSS reqadd X-Forwarded-Proto:\ https