secure self-signed wildcard certificate with Haproxy
In these times of privacy intrusion I thought it was about time to step up my security a bit and enforce SSL on everything I run. I am currently using haproxy on my site to proxy all traffic to my local services (nginx, node, etc) and since haproxy is able to terminate ssl its a piece of cake to implement all over.
First lets generate some secure keys/certs we can use:
For wildcard use *.domain.com when setting Common Name
, and please use sha256.
openssl req -sha256 -newkey rsa:2048 -nodes -keyout martensson.io.key -out martensson.io.csr
openssl x509 -sha256 -signkey martensson.io.key -in martensson.io.csr -req -days 3650 -out martensson.io.crt #valid for 10 years
cat martensson.io.crt martensson.io.key | tee martensson.io.pem
Now edit the haproxy.cfg and inside the frontend section add:
# redirect everything to https
redirect scheme https code 301 if !{ ssl_fc }
bind *:443 ssl crt /path/to/martensson.io.pem ciphers AES128+EECDH:AES128+EDH force-tlsv12 no-sslv3
and to enforce a bit stronger ciphers add to global:
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
ssl-default-bind-ciphers AES128+EECDH:AES128+EDH
I also recommend reading more at https://cipherli.st/