Implementing SSL termination at your load balancer enhances security and simplifies certificate management. Let's Encrypt provides free SSL certificates, making it an attractive option for many administrators. HAProxy, a powerful open-source load balancer, can be configured to handle SSL termination efficiently.

What is SSL Termination?

SSL termination is the process where encrypted HTTPS traffic is decrypted at the load balancer level. This allows backend servers to communicate over unencrypted HTTP, reducing processing overhead and simplifying certificate management.

Prerequisites

  • A server running HAProxy
  • Root or sudo access to the server
  • Domain name pointing to your server
  • Certbot installed for obtaining Let's Encrypt certificates

Obtaining a Let's Encrypt Certificate

Start by installing Certbot if it’s not already installed. Then, run the following command to obtain and install your SSL certificate:

sudo certbot certonly --standalone -d yourdomain.com

This process will generate your certificates typically stored in /etc/letsencrypt/live/yourdomain.com/.

Configuring HAProxy for SSL Termination

Edit your HAProxy configuration file, usually located at /etc/haproxy/haproxy.cfg. Add or modify the frontend section to include SSL termination:

Example:

frontend https_in bind *:443 ssl crt /etc/letsencrypt/live/yourdomain.com/fullchain.pem crt /etc/letsencrypt/live/yourdomain.com/privkey.pem mode http default_backend servers

Ensure that the paths to your certificate files are correct. You may also need to include the following in your global configuration:

ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

Redirect HTTP to HTTPS

To ensure all traffic is secure, redirect HTTP traffic to HTTPS by adding a redirect rule:

frontend http_in bind *:80 mode http redirect scheme https code 301 if !{ ssl_fc }

Testing and Maintenance

After configuring HAProxy, restart the service:

sudo systemctl restart haproxy

Visit your domain via HTTPS to verify the SSL certificate is active. Certbot automatically renews certificates, but it’s good practice to test renewal:

sudo certbot renew --dry-run

Conclusion

Using Let's Encrypt with HAProxy for SSL termination provides a cost-effective, secure solution for managing HTTPS traffic. Proper configuration ensures encrypted connections and simplifies backend server management.