Configuring SSL/TLS for HAProxy
You can configure SSL or TLS for HAProxy when using ThingWorx HA Clustering.
HAProxy can be set up for external SSL and internal SSL. You must provide the certificate files. You cannot use passthrough SSL since ThingWorx requires access to the request object for path-based routing. There are many options for configuring SSL in HAProxy. The following is for reference only; for more information see https://cbonte.github.io/haproxy-dconv/2.0/configuration.html.
External SSL from Clients to HAProxy
In the global configuration, you can set up optional default locations for certs and private keys. In the front-end configuration, you can configure the ciphers and supported TLS levels. For example:
global
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
The front-end section is the location of the incoming endpoint. This is where you should configure the bind port and certificate to use. For more information about the bind configurations, see https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.1.
For example:
frontend ft_web
bind *:8443 ssl crt /certs/haproxy.pem name sslweb
bind *:8443 ssl crt /certs/haproxy.pem name sslweb
 |
Binding the port and certificate is essential if you have installed ThingWorx Flow in a ThingWorx HA environment.
|
Internal SSL from HAProxy to Applications
Internal SSL is configured per back-end server. Each server can have different settings. In the following example, all platform servers support SSL and receive requests on port 8443. The server endpoint is configured to point to that location and use SSL. This example uses self-signed certificates so verify is set to none. For more information about server configuration options, see https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.2.
backend platform
server platform1 platform1:8443 ssl verify none
server platform2 platform2:8443 ssl verify none
server platform1 platform1:8443 ssl verify none
server platform2 platform2:8443 ssl verify none
Example for ThingWorx Flow
If you have installed ThingWorx Flow in a ThingWorx HA environment, then add the back-end ThingWorx Flow configuration information:
backend flow
server nginx <NGinx_IP>:443 check ssl verify none
server nginx <NGinx_IP>:443 check ssl verify none
Creating a Self-Signed Cert
For example:
openssl req -newkey rsa:2048 -nodes -x509 -days 365 -keyout haproxy.key -out haproxy.crt -subj "/CN=$HAPROXY_SSL_SERVER_CERT_CN" && \
cat haproxy.crt haproxy.key >> /certs/haproxy.pem
chmod 755 /certs/haproxy.pem && \
cat haproxy.crt haproxy.key >> /certs/haproxy.pem
chmod 755 /certs/haproxy.pem && \
Example for ThingWorx Flow
If you have installed ThingWorx Flow in a ThingWorx HA environment, then do the following:
1. Create the certs folder with all required permissions under /
2. Run the following command to create the certificate:
sudo openssl req -newkey rsa:2048 -nodes -x509 -days 365 -keyout haproxy.key -out haproxy.crt -subj “/CN=<Load_Balancer_Host>” && sudo cat haproxy.crt haproxy.key >> /certs/haproxy.pem
This command creates haproxy.crt and haproxy.cfg under the /etc/haproxy folder and haproxy.pem under the /certs folder.
Using Docker
You can use the official HAProxy container and mount in certs and haproxy.cfg files. The internal HAProxy container supports the following configurations:
PLATFORM_ADDRESSES: platform1,platform2,platform3
CXSERVER_ADDRESSES: cxserver1,cxserver2
HAPROXY_STAT_USER: admin
HAPROXY_STAT_PASSWORD: thingworx
SSL_ENABLED: true
SSL_CERT_PATH: /certs/haproxy.pem
LOG_LEVEL: debug
PLATFORM_SECURE: true
PLATFORM_SECURE_PORT: 8443
PLATFORM_PORT: 8080
CXSERVER_SECURE: true
CXSERVER_SECURE_PORT: 8443
CXSERVER_PORT: 8080
FLOW_SECURE: true
FLOW_SECURE_PORT: 443
FLOW_PORT: 80
CXSERVER_ADDRESSES: cxserver1,cxserver2
HAPROXY_STAT_USER: admin
HAPROXY_STAT_PASSWORD: thingworx
SSL_ENABLED: true
SSL_CERT_PATH: /certs/haproxy.pem
LOG_LEVEL: debug
PLATFORM_SECURE: true
PLATFORM_SECURE_PORT: 8443
PLATFORM_PORT: 8080
CXSERVER_SECURE: true
CXSERVER_SECURE_PORT: 8443
CXSERVER_PORT: 8080
FLOW_SECURE: true
FLOW_SECURE_PORT: 443
FLOW_PORT: 80
Certificates should be mounted to the /certs folder:
haproxy:
image: artifactory.rd2.thingworx.io/twxdevops/tw-lb-haproxy:latest
container_name: haproxy
ports:
- 9100:8080
- 9143:8443
- 1936:1936
environment: *haproxy-env
volumes:
- certs:/certs
image: artifactory.rd2.thingworx.io/twxdevops/tw-lb-haproxy:latest
container_name: haproxy
ports:
- 9100:8080
- 9143:8443
- 1936:1936
environment: *haproxy-env
volumes:
- certs:/certs