Configuring SSL/TLS for HAProxy
You can configure SSL or TLS for HAProxy when using ThingWorx HA Clustering.
HAProxy can be set up for external SSL and internal SSL. You must provide the certificate files. You cannot use passthrough SSL since ThingWorx requires access to the request object for path-based routing. There are many options for configuring SSL in HAProxy. The following is for reference only; for more information, see https://cbonte.github.io/haproxy-dconv/2.0/configuration.html.
* 
If SELinux blocks HAProxy, adjust SELinux configurations accordingly.
External SSL from Clients to HAProxy
In the global configuration, you can set up optional default locations for certs and private keys. In the front-end configuration, you can configure the ciphers and supported TLS levels. For example:
global
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
With no additional TLS configuration, HAProxy will automatically choose a cipher suite based on the client and HAProxy's available cipher suites.
To verify which TLS version is supported by a specific HAProxy version, run the haproxy-vv command.
[root@hasrv]# haproxy -vv
Omitted output.

Built with OpenSSL version : OpenSSL 1.1.1k FIPS 25 Mar 2021
Running on OpenSSL version : OpenSSL 1.1.1k FIPS 25 Mar 2021
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3

Omitted output.
You can see that HAProxy is built with the OpenSSL 1.1.1k library. Therefore, HAProxy has TLSv1.3-capable ciphers, which means if the client has the same capabilities, the TLS communication will be TLSv1.3.
* 
It is strongly recommended that you use the HAProxy version built with OpenSSL 1.1.1 or above. Earlier versions of the OpenSSL library don’t support TLSv1.3.
To configure ciphers manually, refer to the related configuration settings:
ssl-default-bind-ciphers — for front end TLSv1.2 maximum. Any TLSv1.3/TLSv1.2 capable cipher will work in TLSv1.2 mode.
ssl-default-bind-ciphersuites – for front end, TLSv1.3 capable
ssl-default-server-ciphers – for back end TLSv1.2 maximum. Any TLSv1.3/TLSv1.2 capable cipher will work in TLSv1.2 mode.
ssl-default-server-ciphersuites for back end TLSv1.3 capable.
For examples of ciphers manual configuration, see SSL Configuration Generator.
The front-end section is the location of the incoming endpoint. This is where you should configure the bind port and certificate to use. For more information about the bind configurations, see HAPROXY Configuration Manual.
For example:
frontend ft_web
bind *:8443 ssl crt /certs/haproxy.pem name sslweb
Internal SSL from HAProxy to Applications
Internal SSL is configured per back-end server. Each server can have different settings. In the following example, all platform servers support SSL and receive requests on port 8443. The server endpoint is configured to point to that location and use SSL. This example uses self-signed certificates so verify is set to none. For more information about server configuration options, see HAPROXY Configuration Manual.
backend platform
server platform1 platform1:8443 ssl verify none
server platform2 platform2:8443 ssl verify none
Backend and Frontend Example for eMessage Connector
If you have HAProxy in the middle of Axeda Agent and eMessage connector communication, add the following additional configurations to the HAProxy:
Create a new backend in the frontend for the eMessage connector:
frontend ft_web
bind *:<HAProxy listening port> ssl crt /certs/haproxy.pem name sslweb

#path based routing to eMessage connector
acl emsg path_beg /eMessgae /lwPing /upload /download
use_backend emessage if emsg #conditional forwarding to the emessage backend
default_backend platform
Create a new backend for the eMessage connector:
backend emessage
balance roundrobin
server emessage <eMessage port> check port 9009 check ssl
verify none
Creating a Self-Signed Cert
For example:
openssl req -newkey rsa:2048 -nodes -x509 -days 365 -keyout haproxy.key -out haproxy.crt -subj "/CN=$HAPROXY_SSL_SERVER_CERT_CN" && \
cat haproxy.crt haproxy.key >> /certs/haproxy.pem
chmod 755 /certs/haproxy.pem && \
Using Docker
You can use the official HAProxy container and mount in certs and haproxy.cfg files. The internal HAProxy container supports the following configurations:
PLATFORM_ADDRESSES: platform1,platform2,platform3
CXSERVER_ADDRESSES: cxserver1,cxserver2
HAPROXY_STAT_USER: admin
HAPROXY_STAT_PASSWORD: thingworx
SSL_ENABLED: true
SSL_CERT_PATH: /certs/haproxy.pem
LOG_LEVEL: debug
PLATFORM_SECURE: true
PLATFORM_SECURE_PORT: 8443
PLATFORM_PORT: 8080
CXSERVER_SECURE: true
CXSERVER_SECURE_PORT: 8443
CXSERVER_PORT: 8080
Certificates should be mounted to the /certs folder:
haproxy:
image: artifactory.rd2.thingworx.io/twxdevops/tw-lb-haproxy:latest
container_name: haproxy
ports:
- 9100:8080
- 9143:8443
- 1936:1936
environment: *haproxy-env
volumes:
- certs:/certs
Was this helpful?