Haproxy: SSL encrypted backend with self-signed cert

nginx ssl load-balancing haproxy

Solution 1:

The question is not really linked to HAProxy, but to managing certs and certificate authorities in general.

Not sure which OS you're using, because you didn't state this, but if it's some Linux flavor (albeit the following applies to Debian and derivatives):

  • Make sure you've the package ca-certificates installed.

  • You're creating your certs using your own certificate authority (ca).

  • Take the your ca root cert of this ca and put it inside /usr/local/share/ca-certificates/name-of-your-ca/. (You might have to create the folder name-of-your-ca by yourself.) Ensure the your ca root cert has a .crt extension.

    (By default, /usr/local/share/ca-certificates/ is owned by root:staff, so use sudo or root to do this.)

  • Execute update-ca-certificates (via sudo / as root).

  • After execution, there should be a file /etc/ssl/cert/your-ca-root.pem symlinked to /usr/local/share/ca-certificates/name-of-your-ca/your-ca-root.crt.

  • Enable verification in HAProxy and profit.

Related

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
What are the main benefits of Windows 64-bit over 32-bit for ASP.Net apps?
opendkim-testkey: key not secure, but dnssec is ok
Apache 2: Negative FilesMatch / FilesNotMatch
Install IIS 6 Management Compatibility on IIS 8 / Windows 2012
Postfix "SASL authentication failure: No worthy mechs found" [closed]
Why is fail2ban finding but not banning
HW RAID1 or ZFS mirror
Access files located on the underlying filesystem of an NFS mountpoint
SSH host key seems to be changing unexpectedly
Windows 10 cannot access network shared locations or drives
Using a batch file to zip files as individual zip files