Skip to main content
To use the Vectera Plus for TLS offloading, perform the tasks in this section, which show how to configure HAProxy to use the TLS server certificate you created previously, along with pkcs11-provider for TLS offloading. If you installed HAProxy through your Linux distribution default package manager, the HAProxy configuration directory is located at /etc/haproxy/.

Create a directory

Perform the following steps to create a directory for HAProxy TLS PKI:
1
Create a directory inside /etc/haproxy/ named tls.
2
Move the HAProxy TLS server certificate (haproxy-cert.pem) and private key reference object file (haproxy-cert.pem.key) into the /etc/haproxy/tls/ directory.

Edit the configuration file

Perform the following steps to edit the HAProxy configuration file:
1
Open the /etc/haproxy/haproxy.cfg file in a text editor.
2
Configure HAProxy to use pkcs11-provider by defining the following lines in the global section:
None
global
    ssl-provider-path /usr/lib/x86_64-linux-gnu/ossl-modules
    ssl-provider pkcs11
    ssl-provider default
3
At the bottom of the file, define the frontend and backend configuration:
None
# ----------------------- Frontend section -----------------------
frontend https-in
    bind *:443 ssl crt /etc/haproxy/tls/haproxy-cert.pem
    mode http
    default_backend webservers

# ----------------------- Backend section ------------------------
backend webservers
    mode http
    balance roundrobin
    server web1 127.0.0.1:8080 check
The following points explain aspects of the preceding code:-bind *:443 ssl crt /etc/haproxy/tls/haproxy-cert.pem
  • This instructs HAProxy to listen on port 443 using SSL, loading the certificate from /etc/haproxy/tls/haproxy-cert.pem. HAProxy knows how to find the /etc/haproxy/tls/haproxy-cert.pem.key file because you gave it the same file name as the certificate, but with the .key extension.
  • mode http ensures that HAProxy treats traffic as HTTP after decryption.
  • default_backend webservers sends traffic to a backend block named webservers.
  • The backend block can forward requests to one or more servers (in this case, only 127.0.0.1:8080). For testing purposes, you can spin up a web server by running the following command in a separate terminal window:
Shell
python3 -m http.server 8080
4
Save the changes to the /etc/haproxy/haproxy.cfg file.
5
Confirm the configuration is valid by running the following command:
Shell
haproxy -c -f /etc/haproxy/haproxy.cfg

Restart HAProxy

Perform the following steps to restart HAProxy to apply changes:
1
Run the following command to restart the HAProxy service:
Shell
sudo systemctl restart haproxy
2
Confirm that new entries populated in the Futurex PKCS #11 log file (fxpkcs11.log) during the restart process, which indicates that HAProxy is successfully communicating with the Vectera Plus.

Test HAProxy

Perform the following steps to test HAProxy TLS offloading:
1
Run the following command to confirm HAProxy TLS offloading is working as intended:
Shell
curl -Ik https://127.0.0.1/
If TLS negotiation is successful, you see the following message:
None
HTTP/1.1 200 OK