> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure HAProxy

> Procedural guide to configure HAProxy for TLS offloading using a previously generated certificate and pkcs11-provider.

To use the Vectera Plus for TLS offloading, perform the tasks in this section, which show how to configure HAProxy to use the TLS server certificate you created previously, along with **pkcs11-provider** for TLS offloading.

If you installed HAProxy through your Linux distribution default package manager, the HAProxy configuration directory is located at `/etc/haproxy/`.

## Create a directory

Perform the following steps to create a directory for HAProxy TLS PKI:

<Steps>
  <Step>
    Create a directory inside `/etc/haproxy/` named `tls`.
  </Step>

  <Step>
    Move the HAProxy TLS server certificate (`haproxy-cert.pem`) and private key reference object file (`haproxy-cert.pem.key`) into the `/etc/haproxy/tls/` directory.
  </Step>
</Steps>

## Edit the configuration file

Perform the following steps to edit the HAProxy configuration file:

<Steps>
  <Step>
    Open the `/etc/haproxy/haproxy.cfg` file in a text editor.
  </Step>

  <Step>
    Configure HAProxy to use **pkcs11-provider** by defining the following lines in the `global` section:

    ```none expandable lines wrap title="None" theme={null}
    global
        ssl-provider-path /usr/lib/x86_64-linux-gnu/ossl-modules
        ssl-provider pkcs11
        ssl-provider default
    ```
  </Step>

  <Step>
    At the bottom of the file, define the **frontend** and **backend** configuration:

    ```none expandable lines wrap title="None" theme={null}
    # ----------------------- Frontend section -----------------------
    frontend https-in
        bind *:443 ssl crt /etc/haproxy/tls/haproxy-cert.pem
        mode http
        default_backend webservers

    # ----------------------- Backend section ------------------------
    backend webservers
        mode http
        balance roundrobin
        server web1 127.0.0.1:8080 check
    ```

    The following points explain aspects of the preceding code:

    -**bind \*:443 ssl crt /etc/haproxy/tls/haproxy-cert.pem**

    * This instructs HAProxy to listen on port 443 using SSL, loading the certificate from `/etc/haproxy/tls/haproxy-cert.pem`. HAProxy knows how to find the `/etc/haproxy/tls/haproxy-cert.pem.key` file because you gave it the same file name as the certificate, but with the `.key` extension.
    * **mode http** ensures that HAProxy treats traffic as HTTP after decryption.
    * **default\_backend webservers** sends traffic to a backend block named `webservers`.
    * The backend block can forward requests to one or more servers (in this case, only `127.0.0.1:8080`). For testing purposes, you can spin up a web server by running the following command in a separate terminal window:

    ```shell expandable lines wrap title="Shell" theme={null}
    python3 -m http.server 8080
    ```
  </Step>

  <Step>
    Save the changes to the `/etc/haproxy/haproxy.cfg` file.
  </Step>

  <Step>
    Confirm the configuration is valid by running the following command:

    ```shell expandable lines wrap title="Shell" theme={null}
    haproxy -c -f /etc/haproxy/haproxy.cfg
    ```
  </Step>
</Steps>

## Restart HAProxy

Perform the following steps to restart HAProxy to apply changes:

<Steps>
  <Step>
    Run the following command to restart the HAProxy service:

    ```shell expandable lines wrap title="Shell" theme={null}
    sudo systemctl restart haproxy
    ```
  </Step>

  <Step>
    Confirm that new entries populated in the Futurex PKCS #11 log file (`fxpkcs11.log`) during the restart process, which indicates that HAProxy is successfully communicating with the Vectera Plus.
  </Step>
</Steps>

## Test HAProxy

Perform the following steps to test HAProxy TLS offloading:

<Steps>
  <Step>
    Run the following command to confirm HAProxy TLS offloading is working as intended:

    ```shell expandable lines wrap title="Shell" theme={null}
    curl -Ik https://127.0.0.1/
    ```

    <Check>
      If TLS negotiation is successful, you see the following message:

      ```none expandable lines wrap title="None" theme={null}
      HTTP/1.1 200 OK
      ```
    </Check>
  </Step>
</Steps>
