Skip to content

Instantly share code, notes, and snippets.

@rmrfslashbin

rmrfslashbin/easy-rsa+HAProxy.md

Last active January 6, 2024 11:21
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rmrfslashbin/26e68c639625a2b148d0e8fcc9465764 to your computer and use it in GitHub Desktop.
Save rmrfslashbin/26e68c639625a2b148d0e8fcc9465764 to your computer and use it in GitHub Desktop.
Download ZIP
Howto: Easy-rsa + HAProxy
Raw
easy-rsa+HAProxy.md

These are some rough notes for deploying a test/dev local CA, a server key/cert, and a client key/cert. The intention is to provide a quick and dirty (don't use in production) local CA with one server and one client. HAProxy is used as an SSL terminator which forces SSL for all connections (via http redirect), then optionally accepts a client cert for authentication.

Easy-rsa

Follow the install guide for easy-rsa (https://github.com/OpenVPN/easy-rsa)

Init PKI

./easyrsa init-pki

Build CA

./easyrsa build-ca

Generate CSR and key for server 'localhost'

./easyrsa gen-req localhost

Sign request; generate cert

!!Notice the 'server' param!!

./easyrsa sign-req server localhost

Generate CSR and key for user 'user001'

./easyrsa gen-req user001

Sign request; generate cert

!!Notice the 'client' param!!

./easyrsa sign-req client user001

For each of the keys, decrypt.

openssl rsa -in crypted.key -out decrypted.key

easy-rsa crt files contain both the text and cert parts. For ease of use, copy just the PEM key part to a new file. Use this PEM key for all operations referenced below.

Generate server PEM

HAProxy requires the server cert/key to be in PEM format. Be sure the key is decrypted and the cert is extracted from the file genereated.

cat ../private/localhost.key ../certs/localhost.crt ../certs/ca.crt > localhost.pem

haproxy

Below are the relevant parts to implement basic SSL and auth. This is not a complete haproxy.cfg file. Place key/cert files in proper directories as referenced in the config file.

### haproxy.cfg

## Global Section
global
  # Default SSL material locations
  ca-base /tls/certs
  crt-base /tls/private

  # Secure SSL/TLS configs
  ssl-default-bind-ciphers  EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
  ssl-default-bind-options no-sslv3 no-tlsv10
  tune.ssl.default-dh-param 4096

## Frontend ssl
frontend haproxy-frontend
  bind *:443  ssl crt localhost.pem ca-file ca.crt verify optional ## or: required

  ##
  ## This section can be used to enforce SSL client certs
  ## based on paths, acls, etc...
  ##
  ## Identify admin path
  acl path_admin path_reg ^/admin(?:[/])?$
  acl path_data  path_reg ^/data(?:[/])?$
  ## Tag all 'write' methods
  acl write_method method POST DELETE PUT

  ## Block access to admin and data paths if no client cert
  ## note the use of 'ssl_c_used'
  http-request deny if path_admin !{ ssl_c_used }
  http-request deny if path_data  !{ ssl_c_used }

  ## force https; PFS
  redirect scheme https if !{ ssl_fc }
  rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload if secure
  rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment