Securing HTTP Traffic with SSL/TLS Using HAProxy

30 minutes
  • 2 Learning Objectives

About this Hands-on Lab

Security should never be an afterthought, but even if it is, HAProxy has got your back! In this lab, we’re going to get hands-on with HAProxy, using it to secure existing HTTP connections via SSL termination at our HAProxy server. We’re also going to configure HAProxy to redirect HTTP requests to HTTPS so our sites’ guests are gently herded into more secure pastures. Upon completion of the lab, you will be able to secure an HAProxy installation to load balance HTTP/S connections.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Secure Our Sites with SSL/TLS

Let’s secure our frontend with SSL/TLS!

Perform the following:

  • Change the frontend to bind to port 443 on all addresses.
    • Configure SSL/TLS, using the /etc/haproxy/certs directory.
    • Force TLS v1.2.
    • Leave the 2 backends untouched.
    • Restart the haproxy service.
    • Perform the following checks with curl -k:
    • The first 2 should work, the second 2 will fail.
Redirect HTTP Traffic to HTTPS

The final thing we want to do is to start accepting HTTP traffic again, but we need to force it to HTTPS. This way, if our users make a request using HTTP, we can enforce the use of encryption.

Perform the following:

  • Change the frontend to also bind to port 80 on all addresses,
  • Create a redirect to force HTTPS, unless the client is already using it,
  • Leave the 2 backends untouched,
  • Restart the haproxy service,
  • Perform the following checks with curl -kL:
    • All checks should work.

Additional Resources

It's time to secure our web farm!

We're building a web development environment using containerized nginx web servers, and we have HAProxy handling HTTP traffic for our 2 sites. Now, we need to add security and encryption via SSL/TLS. Additionally, we want to be sure we handle both HTTP and HTTPS traffic at the load balancer.

How can we accomplish this?

When the lab starts, you will want to open an SSH connection to your lab instance(s):

ssh cloud_user@PUBLIC_IP_ADDRESS

Replace PUBLIC_IP_ADDRESS with either the public IP or DNS of the instance(s). The cloud_user password has been provided with the instance information.

Entries for and have been created in /etc/hosts that point to Additionally, SSL certificates for HAProxy have been generated in /etc/haproxy/certs/. The HAProxy package has also been installed, but it is not running.

On our system, we have 2 sites, site1 and site2, configured, with 3 web server containers in each, running rootlessly by the cloud_user account. They've been prepopulated with a test text file at /test.txt that identifies which site and server we're accessing.

The nginx containers are configured as follows:

  • site1_server1: web server accessible on port 8081
  • site1_server2: web server accessible on port 8082
  • site1_server3: web server accessible on port 8083
  • site2_server1: web server accessible on port 8084
  • site2_server2: web server accessible on port 8085
  • site2_server3: web server accessible on port 8086

Good luck and enjoy!

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?