目次

SSL

※Ver1.5以降でSSL正式サポート(要ソースからインストール)

SSL有効化

ビルド時にspecファイルを編集してオプションを設定する

# cp -r ./haproxy-1.6.5/examples/haproxy.spec ./haproxy-1.6.5/examples/haproxy.spec.org
# vi ./haproxy-1.6.5/examples/haproxy.spec
36c36
< %{__make} USE_PCRE=1 DEBUG="" ARCH=%{_target_cpu} TARGET=linux26 USE_OPENSSL=1
---
> %{__make} USE_PCRE=1 DEBUG="" ARCH=%{_target_cpu} TARGET=linux26

確認

インストール後にhaproxyの詳細情報からOpenSSLが有効になっていることを確認

# haproxy -vv                                                          
HA-Proxy version 1.6.5 2016/05/10
Copyright 2000-2016 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux26
  CPU     = generic
  CC      = gcc
  CFLAGS  = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
  OPTIONS = USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built without compression support (neither USE_ZLIB nor USE_SLZ are set)
Compression algorithms supported : identity("identity")
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 7.8 2008-09-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

設定例

frontend  sub
    bind :443 ssl crt /etc/haproxy/ssl/cert.pem

/etc/haproxy/ssl/cert.pem
中間証明書やクロスルート証明書を含めて、以下のように纏める。

-----BEGIN CERTIFICATE-----
証明書
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
中間証明書
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
クロスルート証明書
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
秘密鍵
-----END RSA PRIVATE KEY-----

chipersなど

frontend  sub
    bind :443 ssl crt /etc/haproxy/ssl/cert.pem no-sslv3 ciphers EECDH+AESGCM:EECDH+AES:EDH+AES:!DSS
    reqadd                      X-Forwarded-Proto:\ https