Configure HAProxy
To use the for TLS offloading, perform the tasks in this section, which show how to configure HAProxy to use the TLS server certificate you created previously, along with pkcs11-provider for TLS offloading.
If you installed HAProxy through your Linux distribution default package manager, the HAProxy configuration directory is located at /etc/haproxy/.
Create a directory inside /etc/haproxy/ named tls.
Move the HAProxy TLS server certificate (haproxy-cert.pem) and private key reference object file (haproxy-cert.pem.key) into the /etc/haproxy/tls/ directory.
Open the /etc/haproxy/haproxy.cfg file in a text editor.
Configure HAProxy to use pkcs11-provider by defining the following lines in the global section:
At the bottom of the file, define the frontend and backend configuration:
Explanation
- bind *:443 ssl crt /etc/haproxy/tls/haproxy-cert.pem
- This instructs HAProxy to listen on port 443 using SSL, loading the certificate from /etc/haproxy/tls/haproxy-cert.pem. HAProxy knows how to find the /etc/haproxy/tls/haproxy-cert.pem.key file because you gave it the same file name as the certificate, but with the .key extension.
- mode http ensures that HAProxy treats traffic as HTTP after decryption.
- default_backend webservers sends traffic to a backend block named webservers.
- The backend block can forward requests to one or more servers (in this case, only 127.0.0.1:8080). For testing purposes, you can spin up a web server by running the following command in a separate terminal window:
Save the changes to the /etc/haproxy/haproxy.cfg file.
Confirm the configuration is valid by running the following command:
Run the following command to restart the HAProxy service:
Confirm that new entries populated in the PKCS #11 log file (fxpkcs11.log) during the restart process, which indicates that HAProxy is successfully communicating with the .
Run the following command to confirm HAProxy TLS offloading is working as intended:
If TLS negotiation is successful, you see the following message: