secure self-signed wildcard certificate with Haproxy

In these times of privacy intrusion I thought it was about time to step up my security a bit and enforce SSL on everything I run. I am currently using haproxy on my site to proxy all traffic to my local services (nginx, node, etc) and since haproxy is able to terminate ssl its a piece of cake to implement all over.

First lets generate some secure keys/certs we can use:

For wildcard use * when setting Common Name, and please use sha256.

openssl req -sha256 -newkey rsa:2048 -nodes -keyout -out

openssl x509 -sha256 -signkey -in -req -days 3650 -out #valid for 10 years

cat | tee

Now edit the haproxy.cfg and inside the frontend section add:

# redirect everything to https
redirect scheme https code 301 if !{ ssl_fc }

bind *:443 ssl crt /path/to/ ciphers AES128+EECDH:AES128+EDH force-tlsv12 no-sslv3

and to enforce a bit stronger ciphers add to global:

tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
ssl-default-bind-ciphers AES128+EECDH:AES128+EDH

I also recommend reading more at