One deep dive with haproxy and I have handed it complete control of all my certificates.<\/p>\n
* One bind statement with every single cert file I own, and haproxy is instantly handling every host’s SSL handshaking using SNI
\n* It is handling dynamic conversion of http requests to https
\n* It has removed the need for https on any webserver on the secured LAN
\n* It allows incredibly flexible load balancing via host, port, url, etc etc
\n* It is easy to set up to use ssl best practices, so every one of your websites instantly gets A+ ratings on ssl labs<\/p>\n
Unbelievable, I’m stunned. <\/p>\n
Here’s all I needed to get ssl labs A+ ratings:<\/p>\n
\r\nglobal\r\n\r\n # MDM NO SSLv3! Good ciphers!\r\n ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12\r\n ssl-default-bind-ciphers AES128+EECDH:AES128+EDH\r\n\r\nfrontend ....\r\n\r\n # MDM We need to provide an HSTS header to get A+ at ssllabs!\r\n http-response set-header Strict-Transport-Security max-age=16000000;\\ includeSubDomains;\\ preload;\r\n \r\n reqadd X-Forwarded-Proto:\\ https\r\n<\/code><\/pre>\nAlso needed this in wordpress wp-config.php:<\/p>\n
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)\r\n $_SERVER['HTTPS']='on';\r\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"One deep dive with haproxy and I have handed it complete control of all my certificates. * One bind statement with every single cert file I own, and haproxy is instantly handling every host’s SSL handshaking using SNI * It is handling dynamic conversion of http requests to https * It has removed the need […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"enabled":false},"version":2}},"categories":[10,9,20],"tags":[48,265,267,246,40,266],"class_list":["post-2091","post","type-post","status-publish","format-standard","hentry","category-tricks-tips-tools","category-websites","category-wordpress","tag-certificates","tag-haproxy","tag-hsts","tag-https","tag-ssl","tag-tls"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9M11L-xJ","jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/bitpost.com\/news\/wp-json\/wp\/v2\/posts\/2091","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitpost.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitpost.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitpost.com\/news\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/bitpost.com\/news\/wp-json\/wp\/v2\/comments?post=2091"}],"version-history":[{"count":2,"href":"https:\/\/bitpost.com\/news\/wp-json\/wp\/v2\/posts\/2091\/revisions"}],"predecessor-version":[{"id":2093,"href":"https:\/\/bitpost.com\/news\/wp-json\/wp\/v2\/posts\/2091\/revisions\/2093"}],"wp:attachment":[{"href":"https:\/\/bitpost.com\/news\/wp-json\/wp\/v2\/media?parent=2091"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitpost.com\/news\/wp-json\/wp\/v2\/categories?post=2091"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitpost.com\/news\/wp-json\/wp\/v2\/tags?post=2091"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}