HAProxy Configuration
  • 26 Mar 2021
  • 1 Minute to read
  • Dark
  • PDF

HAProxy Configuration

  • Dark
  • PDF

It is recommended to run HAProxy with an SSL-termination style of configuration. This will allow the proxy to forward agent connection information to the SecureCircle server nodes.

The SSL certificate and associated private key must be given to HAProxy in one PEM file.


It designates a PEM file containing both the required certificates and any associated private keys. This file can be built by concatenating multiple PEM files into one (e.g. cat cert.pem key.pem > combined.pem). If your CA requires an intermediate certificate, this can also be concatenated into this file.

It is assumed the SecureCircle server nodes will be listening for HTTPS traffic on port 443 using a self-signed or other certificate.


        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-options no-sslv3
        mode    http
        timeout connect 5000
        timeout client  50000
        timeout server  50000
frontend http-in
        # The balancer will listen to port 80 and redirect to HTTPS
        bind *:80
        redirect scheme https if !{ ssl_fc }
        # The balancer will terminate SSL traffic on port 443 using the specified PEM keychain
        bind *:443 ssl crt /path/to/your/keychain.pem
        # Traffic will be redirected to the nodes backend
        default_backend nodes
backend nodes
        # Inject headers so the nodes know agent information
        option forwardfor
        http-request add-header X-Consumer-IP %[src]
        # Balance connections across servers using a round-robin approach
        balance roundrobin
        # Ensure nodes are healthy before routing traffic to them
        option httpchk GET /web/login.html
        # Servers that will be routed to
        # It's recommended to replace "ssl verify none" with:
        # ssl verify required ca-file /path/to/server-ca
        # ca-file will either be the server's self signed cert or CA cert(s)
        server SC01 check ssl verify none
        server SC02 check ssl verify none
        server SC03 check ssl verify none

Was this article helpful?