Recently we upgraded an external facing proxy server at work from Ubuntu 12.04 + Apache to Ubuntu 14.04 + HAProxy. Because of the number of services that this proxy handles and the need for it to be secure, we needed to configure it to work with a maximum number of devices and get at least an A rating on ssllabs.com.
First things first, we need to get the latest and greatest HAProxy version. By default, Trusty Tahr comes with HAProxy 1.4.24. Unfortunately SSL support wasn’t added until the 1.5 series. There is a version of 1.5 in the Trusty Backports repository, however it’s 1.5.4 and missing some SSL options. Fortunately there is a PPA available with the latest (1.5.14 as of this writing) that can be found here. Before proceeding, ensure you have an up-to-date server.
$ sudo apt-get update $ sudo apt-get dist-upgrade
Add the PPA and install HAProxy
$ sudo apt-add-repository ppa:vbernat/haproxy-1.5 $ sudo apt-get update $ sudo apt-get install haproxy
Here is the relevant configuration for creating an A+ rating:
global ssl-default-bind-options no-sslv3 no-tls-tickets ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH frontend https-in http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload http-response set-header X-Frame-Options DENY http-response set-header X-Content-Type-Options nosniff bind *:443 ssl crt /path/to/your/cert.pem
That’s it! Note that this config will not work on IE6/8+XP, nor Java 6/7. If you have any of those requirements, you may need to open up the bind ciphers a little bit.
Don’t forget to test your server once you save and reload!
Note: Updated on 2015/Jul/23 with recommendation from HAProxy to use http-response instead of rspadd.