Haha I've been fighting getting this to work with crazy cfg files .... Took my normal working config and added the single bind line and it worked.... Gracias
Nice quick overview of this scenario, is there available walkthrough how to do the same, but with different domains on backend servers? I think its called Reverse proxy..
This is really great but if I want my webservers and ISPconfig to handle all certificates is there any way to do that when I have a setup with HAproxy/keepalived? Right now I get can't bind to port 80 error.
I created a secret with cert-manager it has tls.crt tls.key and ca.crt. I have tried to make SSL termination by using the pem file and adding the path of crt and key, but ha-proxy deployment failed to start up and showed an error unable to stat SSL certificate.
how to install the haproxy offline mode, I dont have internet connectivity, I want to downlod the binaries and copy to the destination location and setup the haproxy , is there anyway to do that?
You could create a VM that has all the dependencies, then build from source after uploading the source code to the machine. Check the HAProxy GitHub for info. I can't think of a better way.
How would one ensure 'Secure Renegotiation' is supported on the web server via the haproxy load balancer? My test site fails that test on SSL Labs. SSL termination is handled on my haproxy load balancer. Thank you in advance for any leads! Great video!
HAProxy doesn't support client-initiated renegotiation. But in our experience, you don't typically get dinged for that on SSL Labs. If you would like to share the link to the report, it could shed some light on it.
@@HAProxyTechnologiesHey thank you for that info! I’ve been looking through documentation for some time in search of these details. Is there any official HAProxy documentation where that is specified? If so, would you mind pointing me to it? Thank you!
@@ElectricPinguino89 The HAProxy docs show every available option, docs.haproxy.org/. And there are tutorials available at www.haproxy.com/documentation/hapee/latest/security/tls/ for HAProxy Enterprise.
Thanks for the video, great info. I am assuming that the HAProxy is configured to Load Balance at layer 7 and not Layer 4 right? Can you do the same for Layer 4 or is it necessary to terminate SSl at layer 4 if I want to only use 443?
Thanks
Loay from Egypt
AWESOME!!!! very straightforward video and tool, thanks very much.
Haha I've been fighting getting this to work with crazy cfg files .... Took my normal working config and added the single bind line and it worked.... Gracias
We are glad it helped!
Big help to me!
I want to setup let's encrypt auto renew, have any suggestion ?
Yessss, good stuff.
Good video! Thank you!
Nice quick overview of this scenario, is there available walkthrough how to do the same, but with different domains on backend servers? I think its called Reverse proxy..
How do you get the .pem to include the cert and key? I'm lost on how to combine the two.
This is really great but if I want my webservers and ISPconfig to handle all certificates is there any way to do that when I have a setup with HAproxy/keepalived? Right now I get can't bind to port 80 error.
Where do you have to specify test.com in your haproxy.cfg file? Is that not required at all? I am a little bit confused.
I created a secret with cert-manager it has tls.crt tls.key and ca.crt. I have tried to make SSL termination by using the pem file and adding the path of crt and key, but ha-proxy deployment failed to start up and showed an error unable to stat SSL certificate.
Hi, thanks for the video.
Can SSL termination work for TCP mode (not HTTP)?
With one frontend but several backend points in roundrobin sequence?
What about tcp mode ? Does it work in such way?
how to install the haproxy offline mode, I dont have internet connectivity, I want to downlod the binaries and copy to the destination location and setup the haproxy , is there anyway to do that?
You could create a VM that has all the dependencies, then build from source after uploading the source code to the machine. Check the HAProxy GitHub for info. I can't think of a better way.
And the order matters in the combined .pem file.
How would one ensure 'Secure Renegotiation' is supported on the web server via the haproxy load balancer? My test site fails that test on SSL Labs. SSL termination is handled on my haproxy load balancer. Thank you in advance for any leads! Great video!
HAProxy doesn't support client-initiated renegotiation. But in our experience, you don't typically get dinged for that on SSL Labs. If you would like to share the link to the report, it could shed some light on it.
@@HAProxyTechnologiesHey thank you for that info! I’ve been looking through documentation for some time in search of these details. Is there any official HAProxy documentation where that is specified? If so, would you mind pointing me to it? Thank you!
@@ElectricPinguino89 The HAProxy docs show every available option, docs.haproxy.org/. And there are tutorials available at www.haproxy.com/documentation/hapee/latest/security/tls/ for HAProxy Enterprise.
Great video. I was just wandering which plugins and setup are you using to connect to VS to Linux server. Thanks :)
I ran the VM locally on my workstation using Vagrant, so no plugin needed. :-)
Thanks for the video, great info. I am assuming that the HAProxy is configured to Load Balance at layer 7 and not Layer 4 right? Can you do the same for Layer 4 or is it necessary to terminate SSl at layer 4 if I want to only use 443?
@Nick Ramirez how can it perform the decryption at Layer 4. It doesn't look at the packet data. Only IP
@Nick Ramirez Thanks for the detailed explanation. I also agree with you on the part that the SSL doesn't really fit well on the OSI model.
Shucks, now I can do some real scraping instead of the ol' ... nevermind.
such a stupid expression . calling it "termination" instead of decryption