Table of Contents
- Introduction
- SSL Termination
- What is Let’s Encrypt
- Steps i. Step 1 – Install Certbot ii. Step 2 - Obtaining SSL Certificate from Let’s Encrypt iii. Step 3 - Configuring HAProxy to use SSL Certificate iv. Step 4 - Verify SSL Termination
- Conclusion
- Reference
Introduction
In one of my articles, I walked you through the practical steps on how to Install and configure HAProxy as a load balancer using Ubuntu (22.04) as the OS. This “How to” guide is going to be a continuation of that article and, I will go a step further to demonstrate how to set up HAProxy SSL termination on your server, Ubuntu(22.04) step by step. So, let’s go.
HAProxy is a largely used load balancer software by DevOps engineers and proxying(referred) software for Linux and some other environments. It is used for the performance and reliability of web application servers by distributing the load of work across multiple web servers. By this, it gives high availability of services and web applications.
SSL Termination.
In my last article, I did not talk about the encryption of web traffic that goes into our load balancer(HAProxy). The traffic coming in that goes into the load balancer is of course in plain text and is, therefore not secure and very open to eavesdropping by some third parties.
What I am saying in essence is that our web application is prone to hacking by hackers.
The HAProxy load balancer can be configured to encrypt the traffic it receives from users or clients before it sends it to numerous servers at the back end. This is the best approach which is against encrypting every server connected to the load balancer which of course as you will find out is a very tedious process. This is what SSL termination has come to eliminate.
The Haproxy load balancer encrypts the traffic between itself and the client and then relays the messages in clear text to the servers at the back end of your internal network. Then, it encrypts the response from the servers to the clients.
The SSL certificates are then only stored on the load balancer server rather than the numerous servers at the back-end thereby reducing the load on the servers.
To show practical SSL termination, we will secure and configure our HAProxy load balancer server with the Let’s Encrypt certificate.
What is Let’s Encrypt?
To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. To get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol which typically runs on your web host.
To figure out what method will work best for you, you will need to know whether you have shell access (also known as SSH access) to your web host. If you manage your website entirely through a control panel like cPanel, Plesk, or WordPress, there’s a good chance you don’t have shell access. You can ask your hosting provider to be sure.
For this to work, you need a fully registered domain name. Let's say (samchris. tech) is a domain name I registered during my software engineering programme at ALX(Holberton School of Computer Science).
Then, you have to point it to your Haproxy load balancer server's public IP address. My domain name of course has been pointed to my HAProxy load balancer public IP address.
Step 1. Install Certbot
To get an SSL certificate from Let’s Encrypt Authority, you need to install certbot. Certbot is a free and open-source software that is used for automating the deployment of Let’s Encrypt SSL certificates on websites.
Now, we need to login into the HAProxy load balancer server and we first update the local package index by using the following command:
$ sudo apt update
Next, we will then need to install certbot using the following command:
$ sudo apt install -y certbot
Step 2. Obtaining SSL Certificate from Let’s Encrypt
Let’s Encrypt provides us with many ways to get SSL Certificates using different plug-ins. Many of the plugins only assist in obtaining the certificate which then requires us to manually configure the web server. These plug-ins can be called ‘authenticators’ as they only check if the server should be issued a certificate or not.
In this ‘How to’ guide, I will walk you through how to get the SSL certificate using the Stand-alone plug-in which makes use of a seamless method of getting SSL certificates. It does this by temporarily starting a small server which runs on port 80 to which Let’s Encrypt can then connect and validate your server’s identity before issuing it a secured certificate.
So, you need to make sure that no other service is running on port 80 on your server.
To check if your server is running another service using port 80, run the following command:
$ netstat -na | grep ':80.*LISTEN'
For example, if nginx is running on the HAProxy server, you can stop it as shown below.
$ sudo systemctl stop nginx
Next is to run certbot using the plugin(Standalone) we talked about to get the certificate.
$ sudo certbot certonly --standalone --preferred-challenges http --http-01-port 80 -d samchris.tech -d www.samchris.tech
The Stand-alone plug-in will then walk you through multiple prompts. You will be asked to provide your email address, and later agree to the Let’s Encrypt ToS(Terms of Service). You can decide not to opt-in to receive EFF’s emails about news and or campaigns.
If everything goes without any error, make sure you pay attention to the screen while going through the installation, the key is then saved to the server successfully. The files needed are saved in the /etc/letsencrypt/archives directory, but certbot creates a symbolic link to the /etc/letsencrypt/live/domain_name path
Once you have gotten the certificate, you will have the following file in the /etc/letsencrypt/live/domain_name directory.
cert. pem – This is your domain’s certificate.
chain. pem – This is the Let’s Encrypt chain certificate.
fullchain. pem – Contains a combination of cert. pem and chain.pem
privkey.pem – The private key to your certificate.
Step 3. Configuring HAProxy to use SSL Certificate
For us to have the HAProxy Load Balancer to carry out SSL Termination so that it can encrypt the traffic from web applications between itself and the users(clients), we must combine fullchain. pem and privekey.pem file into one file.
Before you do that, create a directory where we are going to put all the files by using the following command:
$ sudo mkdir -p /etc/haproxy/certs
Next is to create the files both combined by using the cat command as follows:
$ DOMAIN='www.samchris.tech' sudo -E bash -c 'cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/haproxy/certs/$DOMAIN.pem'
Next is to secure the file by assigning the following permissions to the directory using the chmod command
$ sudo chmod -R go-rwx /etc/haproxy/certs
Next is to access the HAProxy configuration file by using the following command:
$ sudo vim /etc/haproxy/haproxy.cfg
In the frontend section, add an entry that binds your server’s public IP to port 443 followed by the path to the combined key.
bind haproxy-ip:443 ssl crt /etc/haproxy/certs/www.samantha.tech.pem
Now, the next thing to do is to force redirection from HTTP to HTTPS, add the following
frontend samantha
bind 10.199.212.12:80
bind haproxy-ip:443 ssl crt /etc/haproxy/certs/www.samantha.tech.pem
redirect scheme https if !{ ssl_fc }
stats uri /haproxy?stats
default_backend web-servers
backend web-servers
balance roundrobin
server web1 10.122.134.1:80
server web2 10.122.134.3:80
Next, save the changes and exit. Make sure to confirm that the syntax for HAProxy is okay using the following syntaxes.
$ sudo haprooxy -f etc/haproxy/haproxy.cfg -c
You should have the following displayed on your screen:
Configuration file is valid.
If you do not have that, go through the steps we’ve gone through to ensure you have not made a mistake. Else, you should have that.
To apply the changes we have made so far, we need to restart HAProxy by using the following command
$ sudo systemctl restart haproxy
and make sure that HAProxy is running
$ sudo systemctl status haproxy
Step 4. Verify SSL Termination
Now, go to your browser and refresh. This time around, you will find out that your load balancer is now secured with a SSL certificate as shown by the padlock icon by the side of your domain name.
Conclusion
In this guide, I have been able to walk you through the steps in making your server safe and getting your SSL Certificate. If you have gone through this guide from the beginning till the end, you should have no errors else, you should go through the steps again. Your feedback would be appreciated.
Reference
Let’s Encrypt, Linuxtechi
Top comments (0)