The Schworak Site | Log In | Up One Level

Score an A+ on SSL Labs using HAPROXY

Getting your web server to score an A+ on SSL Labs is easy when you use HAPROXY as a frontend.

First, configure your webserver to use HTTP only and configure HAPROXY to as the frontend so the world talks only to HAPROXY and in turn it talks to your webserver. This means your webserver will never talk directly to the users.

The main reason for this is to allow HAPROXY to route to a backup server or load balance. In my case I have multiple HAPROXY servers and multiple web servers to give maximum redundancy and up time if any one server goes down.

This article doesn't cover any of the setup needed to get your web server or HAPROXY running. 

What we are here to tell you are a couple key settings in your HAPROXY config file that will get you up to an A+ rating on SSL Labs security testing site located at https://www.ssllabs.com/ssltest/.

The config file is normally located (on linux) at /etc/haproxy/haproxy.cfg and you can update it with your favorite editor. Make sure you have these settings...

In the global section set the default bind options:

ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

In your secure binding frontend section, make sure your entry looks something like this:

bind *:443 ssl crt /etc/ssl/private/my-cert.pem alpn http/1.1,h2

Of course, the path to your certificate(s) will depend on your settup. You may be using a specific IP rather than the * at the start of your binding.

Finally, also in the frontend section, make sure you are using a reasonably long HSTS entry. This tells browsers to not even attempt HTTP for your site and automatically use HTTPS instead. So if a browser visits your site once it will pick up this setting and from then on (until the setting expires) any future calls to your site will use HTTPS even if the user tries to use HTTP. (it automatically switches)

# HSTS header (1 year = 31540000 seconds)
http-response set-header Strict-Transport-Security max-age=31540000

In this case, we are setting the age to 1 year (about).

With those simple settings, and a good certificate, your site should be hitting the A+ rating on SSL Labs website now.

by Glenn J. Schworak
Published: 08/17/2019

Comments

<< Making checkboxes pass data even when they are unchecked    |    RAID - What is it? >>
Entry list | Main list
All content on this site is copyright ©2004-2023 and is not to be reproduced without prior permission.