Skip to main content
This document provides information about configuring HAProxy with Futurex HSMs for TLS offloading. For additional questions about your HSM, see the relevant user guide.

About HAProxy

HAProxy (High Availability Proxy) is a popular open-source software load balancer and reverse proxy that distributes incoming network traffic across multiple servers. It’s particularly well-suited for HTTP and TCP applications, ensuring high service availability and reliability. HAProxy can handle millions of concurrent connections, making it a go-to choice for large-scale deployments. It offers advanced features like health checking, sticky sessions, and detailed monitoring capabilities that help maintain optimal web application performance and reliability.

TLS offloading

One of the HAProxy powerful capabilities is TLS offloading (also known as SSL termination). This feature enables HAProxy to handle the computationally intensive process of encrypting and decrypting TLS/SSL traffic on behalf of backend servers. When you configure TLS offloading, HAProxy accepts incoming encrypted connections from clients, decrypts the traffic, and then forwards the decrypted requests to backend servers over a secure internal network. This approach offers the following benefits:
  • Reduces the CPU load on backend servers
  • Centralizes SSL certificate management
  • Enables inspection and manipulation of HTTP traffic.
By handling the TLS processing at the proxy level, your organization can achieve better performance and simplified certificate management while maintaining end-to-end security.

HAProxy integration with the Vectera Plus HSM

HAProxy can use pkcs11-provider (github.com/latchset/pkcs11-provider), which is a PKCS #11 provider for OpenSSL 3, to offload cryptographic tasks to an HSM. It replaces the pkcs11 engine (github.com/OpenSC/engine_pkcs11) because ENGINE is deprecated. The provider is usually installed as .../ossl-modules/pkcs11.so in the sub-folder of the OpenSSL build time --prefix by using the same filename as the pkcs11 engine but in a different folder. pkcs11-provider is a middleware provider that requires an actual PKCS #11 provider (such as the Futurex PKCS #11 library).

Guardian integration

The Guardian Series 3 introduces mission-critical viability to core cryptographic infrastructure, including:
  • Centralization of device management
  • Elimination of points of failure
  • Distribution of transaction loads
  • Group-specific function blocking
  • User-defined grouping systems
See the applicable guide in the Futurex Portal for configuring HSMs with the Guardian Series 3, including PKCS #11 and CNG configuration.