secure self-signed wildcard certificate with Haproxy

In these times of privacy intrusion I thought it was about time to step up my security a bit and enforce SSL on everything I run. I am currently using haproxy on my site to proxy all traffic to my local services (nginx, node, etc) and since haproxy is able to terminate ssl its a piece of cake to implement all over.

First lets generate some secure keys/certs we can use:

For wildcard use *.domain.com when setting Common Name, and please use sha256.

openssl req -sha256 -newkey rsa:2048 -nodes -keyout martensson.io.key -out martensson.io.csr

openssl x509 -sha256 -signkey martensson.io.key -in martensson.io.csr -req -days 3650 -out martensson.io.crt #valid for 10 years

cat martensson.io.crt martensson.io.key | tee martensson.io.pem

Now edit the haproxy.cfg and inside the frontend section add:

# redirect everything to https
redirect scheme https code 301 if !{ ssl_fc }

bind *:443 ssl crt /path/to/martensson.io.pem ciphers AES128+EECDH:AES128+EDH force-tlsv12 no-sslv3

and to enforce a bit stronger ciphers add to global:

tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
ssl-default-bind-ciphers AES128+EECDH:AES128+EDH

I also recommend reading more at https://cipherli.st/