grab the latest available LTS release for your distribution
ls -lF /usr/share/keyrings/haproxy.debian.net.gpg # no exist ls -lF /etc/apt/sources.list.d/haproxy.list # no exist which gpg which gpg1 #apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 95A42FE8353525F9 curl -s https://haproxy.debian.net/bernat.debian.org.gpg | gpg --dearmor > /usr/share/keyrings/haproxy.debian.net.gpg echo "deb [signed-by=/usr/share/keyrings/haproxy.debian.net.gpg]" \ http://haproxy.debian.net buster-backports-2.4 main \ > /etc/apt/sources.list.d/haproxy.list apt update apt install haproxy=2.4.\* vim-haproxy grep ^haproxy /etc/group grep ^haproxy /etc/passwd
ls -lF /etc/ssl/dhparms.pem # no exist openssl dhparam -out /etc/ssl/dhparms.pem 2048 chmod 444 /etc/ssl/dhparms.pem
and eventually generate a self-signed dummy cert.
we are removing the calls for known CAs, there’s no need for an SSL trust store unless you are a CDN
zcat /usr/share/doc/haproxy/configuration.txt.gz | less cp -pi /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.dist vi /etc/haproxy/haproxy.cfg global ... # PFS key-exchange only ssl-default-bind-ciphers ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets ssl-dh-param-file /etc/haproxy/dhparms.pem defaults ... frontend http bind *:80 alpn h2,http/1.1 http-response set-header Strict-Transport-Security "max-age=16000000;" redirect scheme https code 301 frontend https bind *:443 ssl crt /etc/ssl/self.crt alpn h2,http/1.1 #bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 #bind *:443 ssl crt-list /etc/haproxy/YOUR-FILE.list alpn h2,http/1.1 http-response set-header Strict-Transport-Security "max-age=16000000;" default_backend servers backend servers balance leastconn server TEST-SRV1 TEST-SRV1:80 check server TEST-SRV2 TEST-SRV2:80 check
haproxy -c -f /etc/haproxy/haproxy.cfg # -V tail -F /var/log/haproxy.log systemctl status haproxy systemctl restart haproxy journalctl -u haproxy.service --since today --no-pager
attempt to reach the backends locally
curl -i TEST-SRV1 curl -i TEST-SRV2
attempt to reach the frontend remotely
nmap -p 80,443 HAPROXY-FACING-IP nmap -p 80,443 HAPROXY-FACING-HOST
check redirects
curl -i SOME-SERVED-FQDN curl -i HAPROXY-FACING-HOST curl -i HAPROXY-FACING-IP
check certificates
openssl s_client -connect SOME-SERVED-FQDN:443 -servername SOME-SERVED-FQDN curl -i https://SOME-SERVED-FQDN/ curl -ki https://HAPROXY-FACING-HOST/ curl -ki https://HAPROXY-FACING-IP/
curve
and ssl-default-bind-curves
directive?X25519:P-256
which differs from the openssl namingin case you want your backends to know that HTTPS got handled
http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
Configuration Manual https://www.haproxy.org/download/2.4/doc/configuration.txt
Configuration Manual https://cbonte.github.io/haproxy-dconv/2.4/configuration.html
Starter Guide https://devdocs.io/haproxy~2.4/
HAPEE-LB Configuration Manual https://www.haproxy.com/documentation/hapee/latest/onepage/
Configuration Manual https://devdocs.io/haproxy~2.4/configuration
Debian/Ubuntu HAProxy packages https://haproxy.debian.net/
Starter Guide http://cbonte.github.io/haproxy-dconv/2.5/intro.html
Starter Guide https://cbonte.github.io/haproxy-dconv/2.4/intro.html
The Four Essential Sections of an HAProxy Configuration https://www.haproxy.com/blog/the-four-essential-sections-of-an-haproxy-configuration/
Configuration Manual https://www.haproxy.org/download/2.4/doc/configuration.txt
Configuration Manual https://cbonte.github.io/haproxy-dconv/2.4/configuration.html
HAProxy Setup https://github.com/klzgrad/naiveproxy/wiki/HAProxy-Setup
What is the meaning of these HAProxy configuration lines? https://serverfault.com/questions/937035/what-is-the-meaning-of-these-haproxy-configuration-lines
Introduction to HAProxy Logging https://www.haproxy.com/blog/introduction-to-haproxy-logging/
HAProxy Configuration Basics: Load Balance Your Servers https://www.haproxy.com/blog/haproxy-configuration-basics-load-balance-your-servers/
Load Balancing https://www.haproxy.com/documentation/hapee/latest/load-balancing/
An Introduction to HAProxy and Load Balancing Concepts https://www.digitalocean.com/community/tutorials/an-introduction-to-haproxy-and-load-balancing-concepts
Health Checking
https://www.haproxy.com/documentation/hapee/latest/load-balancing/health-checking/
==> simply check
Announcing HAProxy 2.2 https://www.haproxy.com/blog/announcing-haproxy-2-2/ ==> Health Check Overhaul
HAProxy load balancer. Part 2: Backend section and the algorithms https://d2c.io/post/haproxy-load-balancer-part-2-backend-section-algorithms
HA Proxy - roundrobin vs leastconn https://serverfault.com/questions/457506/ha-proxy-roundrobin-vs-leastconn
Using SSL Certificates with HAProxy https://serversforhackers.com/c/using-ssl-certificates-with-haproxy
HAProxy SSL Termination https://www.haproxy.com/blog/haproxy-ssl-termination/
crt
crt-list
Configure multiple SSL certificates in Haproxy https://serverfault.com/questions/560978/configure-multiple-ssl-certificates-in-haproxy
HAProxy to terminate SSL also send SSL to backend server https://serverfault.com/questions/738045/haproxy-to-terminate-ssl-also-send-ssl-to-backend-server ==> ssl backend
Redirect HTTP to HTTPS with HAProxy https://www.haproxy.com/blog/redirect-http-to-https-with-haproxy/
HAProxy redirecting http to https (ssl) https://stackoverflow.com/questions/13227544/haproxy-redirecting-http-to-https-ssl
HAProxy and HTTP Strict Transport Security (HSTS) https://www.haproxy.com/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/
Introduction to HAProxy ACLs https://www.haproxy.com/blog/introduction-to-haproxy-acls/
Routing Multiple Domains using HAProxy (HTTP and HTTPS) https://blog.entrostat.com/routing-multiple-domains-using-haproxy-http-and-https-ssl/ ==> separate binds (not that useful when you have ACLs)
High Availability with HAProxy and Keepalived in AWS https://www.peternijssen.nl/high-availability-haproxy-keepalived-aws/
High Availability for NGINX Plus on AWS with keepalived and Elastic IP Address https://www.nginx.com/blog/high-availability-nginx-plus-aws-keepalived-elastic-ip-address/
Dynamic SSL Certificate Storage in HAProxy https://www.haproxy.com/blog/dynamic-ssl-certificate-storage-in-haproxy/
HAproxy SSL/TLS Warning: Setting tune.ssl.default-dh-param to 1024 by default https://www.digitalocean.com/community/tutorials/haproxy-ssl-tls-warning-setting-tune-ssl-default-dh-param-to-1024-by-default
Common HAProxy Errors https://www.digitalocean.com/community/tutorial_series/common-haproxy-errors
How To Troubleshoot Common HAProxy Errors https://www.digitalocean.com/community/tutorials/how-to-troubleshoot-common-haproxy-errors
Haproxy 2.x openssl/libressl issues with curves bind option (Opnsense) #366 https://github.com/haproxy/haproxy/issues/366
Validate haproxy.cfg https://stackoverflow.com/questions/39609178/validate-haproxy-cfg
Haproxy TLS configuration https://serverfault.com/questions/941762/haproxy-tls-configuration/941812