One deep dive with haproxy and I have handed it complete control of all my certificates.
* One bind statement with every single cert file I own, and haproxy is instantly handling every host’s SSL handshaking using SNI
* It is handling dynamic conversion of http requests to https
* It has removed the need for https on any webserver on the secured LAN
* It allows incredibly flexible load balancing via host, port, url, etc etc
* It is easy to set up to use ssl best practices, so every one of your websites instantly gets A+ ratings on ssl labs
Unbelievable, I’m stunned.
Here’s all I needed to get ssl labs A+ ratings:
global
# MDM NO SSLv3! Good ciphers!
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
ssl-default-bind-ciphers AES128+EECDH:AES128+EDH
frontend ....
# MDM We need to provide an HSTS header to get A+ at ssllabs!
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
reqadd X-Forwarded-Proto:\ https
Also needed this in wordpress wp-config.php:
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
$_SERVER['HTTPS']='on';
One more thing I had to worry about:
cookies
From the client side of my production environment, it all looks like perfectly secured https.
My simple dev environments do not run through haproxy – they COULD, but I work from a dozen different places and running each one through a domain would be a lot of overhead. Instead, I hacked up the server to specify https cookies (via the Secure keyword) only when running behind haproxy. Onwards.