TLS offloading
HAProxy
4min
this document provides information about configuring haproxy with {{futurex}} hsms for tls offloading for additional questions about your hsm, see the relevant user guide about haproxy haproxy (high availability proxy) is a popular open source software load balancer and reverse proxy that distributes incoming network traffic across multiple servers it's particularly well suited for http and tcp applications, ensuring high service availability and reliability haproxy can handle millions of concurrent connections, making it a go to choice for large scale deployments it offers advanced features like health checking, sticky sessions, and detailed monitoring capabilities that help maintain optimal web applications' performance and reliability tls offloading one of the haproxy powerful capabilities is tls offloading (also known as ssl termination) this feature enables haproxy to handle the computationally intensive process of encrypting and decrypting tls/ssl traffic on behalf of backend servers when you configure tls offloading, haproxy accepts incoming encrypted connections from clients, decrypts the traffic, and then forwards the decrypted requests to backend servers over a secure internal network this approach offers the following benefits reduces the cpu load on backend servers centralizes ssl certificate management enables inspection and manipulation of http traffic by handling the tls processing at the proxy level, your organization can achieve better performance and simplified certificate management while maintaining end to end security haproxy integration with the {{vectera}} hsm haproxy can use a pkcs11 provider , which is a pkcs #11 provider for openssl 3, to offload cryptographic tasks to an hsm it replaces pkcs11 engine because engine is deprecated the provider is usually installed as /ossl modules/pkcs11 so in the sub folder of the openssl build time prefix using the same filename as the pkcs11 engine but a different folder pkcs11 provider is a middleware provider that requires an actual pkcs #11 provider (such as the {{futurex}} pkcs #11 library) guardian integration the {{guard}} introduces mission critical viability to core cryptographic infrastructure, including centralization of device management elimination of points of failure distribution of transaction loads group specific function blocking user defined grouping systems see the applicable guide in the {{futurex}} portal for configuring hsms with the {{guard}} , including pkcs #11 and cng configuration