How to Install SSL Certificate on HAProxy

A comprehensive guide to installing and configuring SSL certificates on HAProxy load balancers.

Table of Contents

Prerequisites

Before installing an SSL certificate on HAProxy, ensure you have:

  • HAProxy installed and running
  • Root or sudo access to the server
  • Domain name pointing to your HAProxy server
  • SSL certificate files:
    • Certificate file (.crt)
    • Private key file (.key)
    • Certificate chain file (if applicable)

Obtaining SSL Certificate

You can obtain an SSL certificate through several methods:

Certificate Options
  • Commercial CA: Purchase from trusted providers
  • Let's Encrypt: Free certificates (requires additional setup)
  • Self-signed: For testing/development only

Installing SSL Certificate

Follow these steps to prepare your SSL certificate:

  1. Create a directory for certificates: 
    sudo mkdir -p /etc/haproxy/certs
  2. Combine certificate and private key: 
    cat example.com.crt example.com.key > /etc/haproxy/certs/example.com.pem
  3. Set proper permissions: 
    sudo chown -R haproxy:haproxy /etc/haproxy/certs
sudo chmod 600 /etc/haproxy/certs/example.com.pem

Configuring HAProxy

Use our configuration generator to create your HAProxy SSL configuration:

Configuration Generator
Generated Configuration
global
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

frontend https-in
    bind *:443 ssl crt /etc/haproxy/certs/example.com.pem
    mode http
    option forwardfor
    default_backend web-backend

backend web-backend
    mode http
    balance roundrobin
    server web1 192.168.1.10:80 check
    server web2 192.168.1.11:80 check
Important: Always backup your configuration before making changes.

Testing Configuration

Verify your SSL configuration:

  1. Check HAProxy configuration: 
    haproxy -c -f /etc/haproxy/haproxy.cfg
  2. Restart HAProxy: 
    sudo systemctl restart haproxy
  3. Verify SSL installation:
    • Visit https://example.com
    • Check certificate details in browser
    • Use SSL testing tools (e.g., SSLLabs)

Troubleshooting

  • Certificate not loading: Check file permissions and format
  • SSL handshake failures: Verify cipher configuration
  • Backend connection issues: Check backend server health
  • Port conflicts: Ensure ports 80/443 are available

Best Practices

  • Security:
    • Use strong SSL ciphers
    • Enable Perfect Forward Secrecy
    • Regular security audits
  • Maintenance:
    • Monitor certificate expiration
    • Regular configuration backups
    • Keep HAProxy updated

SSL Termination

HAProxy SSL termination features:

Key Benefits
  • Offload SSL processing from backend servers
  • Centralized SSL certificate management
  • Support for SNI (Server Name Indication)
  • Advanced load balancing capabilities
# Example SNI Configuration
frontend https-in
    bind *:443 ssl crt-list /etc/haproxy/crt-list.txt
    use_backend %[ssl_fc_sni,lower]
Tip: SSL termination at HAProxy improves performance and simplifies certificate management.

Certellix is an independent service. We are not affiliated with any commercial certificate authority.

Privacy Policy
Terms of Service
Refund Policy
Contact Us