Configuring SSL/TLS Termination at HAProxy

Page last updated:

Both Elastic Runtime and Isolation Segments for Pivotal Cloud Foundry include an HAProxy instance.

HAProxy is appropriate to use in a deployment when features are needed that are offered by HAProxy but are not offered by the CF Routers or IaaS-provided load balancers such as Azure load balancers.

While HAProxy instances provide load balancing for the Gorouters, HAProxy is not itself highly available. For production environments, use a highly-available load balancer to scale HAProxy horizontally. The load balancer does not need to terminate TLS or even operate at layer 7 (HTTP); it can simply provide layer 4 load balancing of TCP connections. Use of HAProxy does not remove the need for CF Routers; Gorouter must always be deployed for HTTP applications, and TCP Router for non-HTTP applications.

You can generate a self-signed certificate for HAProxy if you do not want to obtain a signed certificate from a well-known certificate authority.

Procedure: Terminate SSL/TLS at HAProxy

In PCF, perform the following steps to configure SSL termination on HAProxy:

  1. Navigate to the Ops Manager Installation Dashboard.

  2. Click the Elastic Runtime tile in the Installation Dashboard.

  3. Click Networking.

  4. Configure the following based on the IaaS of your PCF deployment.

    If your PCF deployment is on: Then configure the following: See also:
    OpenStack or vSphere Decide whether you want your HAProxy to be highly available.
    • If you need highly available HAProxy, then perform the following steps:
      1. Choose an IP address for each HAProxy instance on the subnet where you deployed PCF.
      2. In the HAProxy IPs field of the Networking page, enter the IP addresses you have selected for your HAProxy instances.
      3. Configure your load balancer (for example, F5 or NSX) to forward domain names to the HAProxy IP addresses.
    • If you do not require high availability (for example, you are setting up a development environment), then perform the following steps:
      1. Skip setting up the load balancer.
      2. Choose one IP address for the single HAProxy instance.
      3. Configure DNS to point at the IP address. See How to Set Up DNS for HAProxy.
    For more information, see the Elastic Runtime networking configuration topic for OpenStack or vSphere.
    AWS, GCP or Azure
    1. Leave the HAProxy IP address blank.
    2. In the Resource Config page of Elastic Runtime tile, locate the HAProxy job.
    3. In the Load Balancer column for the HAProxy job, specify the appropriate IaaS load balancer resource.

    For more information, see the Elastic Runtime installation instructions for AWS, Azure, or GCP.

  5. Under Select one of the point-of-entry-options, select the third option, Forward SSL to HAProxy.

  6. Enter your PEM-encoded certificate and your PEM-encoded private key in the fields under SSL Termination Certificate and Private Key. You can either upload your own certificate or generate a RSA certificate in Elastic Runtime. For options and instructions on creating a certificate for your wildcard domains, see Creating a Wildcard Certificate for PCF Deployments.

  7. If you want HAProxy to only allow HTTPS traffic, select Disable HTTP traffic to HAProxy.

  8. If you want to use a specific set of SSL ciphers for HAProxy, configure HAProxy SSL Ciphers. Enter a colon-separated list of custom SSL ciphers to pass to HAProxy. Otherwise, leave this field blank.

  9. If you expect requests larger than the default maximum of 16 Kbytes, enter a new value (in bytes) for Request Max Buffer Size. You may need to do this, for example, to support apps that embed large cookie or query string values in headers.

  10. If you are not using SSL encryption or if you are using self-signed certificates, you can select Disable SSL certificate verification for this environment. Selecting this checkbox also disables SSL verification for route services.

    Use this checkbox only for development and testing environments. Do not select it for production environments.

    Ert haproxy certs

  11. Complete the rest of the Networking configuration screen, and click Save.

  12. For PCF deployments on Azure or AWS, configure the HAProxy job in the Resource Config page of Elastic Runtime tile. For more information, see the Elastic Runtime installation instructions for Azure or AWS.

How to Set Up DNS for HAProxy

You only need to perform this procedure if you are using one instance of HAProxy such as in a development environment. If you would like HAProxy to be highly available, you must have a load balancer in front of it. In this case, you would point DNS at the load balancer.

To use a single instance HAProxy load balancer in a vSphere or OpenStack deployment, create a wildcard A record in your DNS and configure some fields in the Elastic Runtime product tile.

  1. Create an A record in your DNS that points to the HAProxy IP address. The A record associates the System Domain and Apps Domain that you configure in the Domains section of the Elastic Runtime tile with the HAProxy IP address.

    For example, with cf.example.com as the main subdomain for your Cloud Foundry (CF) deployment and an HAProxy IP address 203.0.113.1, you must create an A record in your DNS that serves example.com and points *.cf to 203.0.113.1.

    Name Type Data Domain
    *.cf A 203.0.113.1 example.com
  2. Use the Linux host command to test your DNS entry. The host command should return your HAProxy IP address.

    Example:

    $ host cf.example.com
    cf.example.com has address 203.0.113.1
    $ host anything.example.com
    anything.cf.example.com has address 203.0.113.1
    

Create a pull request or raise an issue on the source for this page in GitHub