Title : Using haproxy for TLS layer
Author: Solène
Date  : 07 March 2019
Tags  : openbsd

This article explains how to use haproxy to add a TLS layer to any TCP
protocol. This includes http or gopher. The following example explains
the minimal setup required in order to make it work, haproxy has a lot
of options and I won't use them.

The idea is to let haproxy manage the TLS part and let your http server
(or any daemon listening on TCP) replying within the wrapped connection.


You need a simple haproxy.cfg which can looks like that:

    defaults
            mode    tcp
            timeout client 50s
            timeout server 50s
            timeout connect 50s
    
    frontend haproxy
            bind *:7000 ssl crt /etc/ssl/certificat.pem
            default_backend gopher
    
    backend gopher
            server gopher 127.0.0.1:7070 check

The idea is that it waits on port 7000 and will use the file
**/etc/ssl/certificat.pem** as a certificate, and forward requests to the
backend on 127.0.0.1:7070. **That is ALL**. If you want to do https, you need
to listen on port 443 and redirect to your port 80.

The PEM file is made from the privkey concatenated with the fullchain
certificate. If you use a self signed certificate, you can make it with the
following command:

    cat secret.key certificate.crt > cert.pem

One can use a folder with PEM certificates files inside instead of using a
file. This will allow haproxy to receive connections for ALL the certificates
loaded.

For more security, I recommend using the chroot feature and a dh file but it's
out of the current topic.