Configure HAProxy

to use the {{vectera}} for tls offloading, perform the tasks in this section, which show how to configure haproxy to use the tls server certificate you created previously, along with pkcs11 provider for tls offloading if you installed haproxy through your linux distribution default package manager, the haproxy configuration directory is located at /etc/haproxy/ 1 | create a directory for haproxy tls pki create a directory inside /etc/haproxy/ named tls move the haproxy tls server certificate ( haproxy cert pem ) and private key reference object file ( haproxy cert pem key ) into the /etc/haproxy/tls/ directory 2 | edit the haproxy configuration file open the /etc/haproxy/haproxy cfg file in a text editor configure haproxy to use pkcs11 provider by defining the following lines in the global section global ssl provider path /usr/lib/x86 64 linux gnu/ossl modules ssl provider pkcs11 ssl provider default at the bottom of the file, define the frontend and backend configuration # frontend section frontend https in bind 443 ssl crt /etc/haproxy/tls/haproxy cert pem mode http default backend webservers \# backend section backend webservers mode http balance roundrobin server web1 127 0 0 1 8080 check explanation bind 443 ssl crt /etc/haproxy/tls/haproxy cert pem this instructs haproxy to listen on port 443 using ssl, loading the certificate from /etc/haproxy/tls/haproxy cert pem haproxy knows how to find the /etc/haproxy/tls/haproxy cert pem key file because you gave it the same file name as the certificate, but with the key extension mode http ensures that haproxy treats traffic as http after decryption default backend webservers sends traffic to a backend block named webservers the backend block can forward requests to one or more servers (in this case, only 127 0 0 1 8080 ) for testing purposes, you can spin up a web server by running the following command in a separate terminal window python3 m http server 8080 save the changes to the /etc/haproxy/haproxy cfg file confirm the configuration is valid by running the following command haproxy c f /etc/haproxy/haproxy cfg 3 | restart haproxy to apply changes run the following command to restart the haproxy service sudo systemctl restart haproxy confirm that new entries populated in the {{futurex}} pkcs #11 log file ( fxpkcs11 log ) during the restart process, which indicates that haproxy is successfully communicating with the {{vectera}} 4 | test haproxy tls offloading run the following command to confirm haproxy tls offloading is working as intended curl ik https //127 0 0 1/ if tls negotiation is successful, you see the following message http/1 1 200 ok