HAProxy SSL/TLS Termination on Debian 12

HAProxy can terminate TLS and forward plain HTTP to backends.

Step 1 – Combine certificate and key

cat /etc/ssl/certs/example.com.crt /etc/ssl/private/example.com.key \
    > /etc/haproxy/certs/example.com.pem
chmod 600 /etc/haproxy/certs/example.com.pem

Step 2 – Configure HAProxy for HTTPS

frontend https-in
    bind *:443 ssl crt /etc/haproxy/certs/example.com.pem
    # Modern TLS only
    ssl-min-ver TLSv1.2
    # Enable HTTP/2
    alpn h2,http/1.1

    # Redirect HTTP to HTTPS
    redirect scheme https if !{ ssl_fc }

    # Add security headers
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

    default_backend webservers

frontend http-in
    bind *:80
    redirect scheme https code 301

backend webservers
    balance     leastconn
    option      httpchk GET /health
    option      forwardfor
    http-request set-header X-Forwarded-Proto https
    server web1 192.168.1.10:80 check
    server web2 192.168.1.11:80 check

Step 3 – DH parameters

openssl dhparam -out /etc/haproxy/dhparam.pem 2048

Add to global section:

ssl-dh-param-file /etc/haproxy/dhparam.pem

Step 4 – Reload

haproxy -c -f /etc/haproxy/haproxy.cfg && systemctl reload haproxy