HAProxy TLS Termination on RHEL 9

Step 1 – Combine cert + key

cat /etc/ssl/certs/example.com.crt /etc/ssl/private/example.com.key > /etc/haproxy/certs/example.com.pem
chmod 600 /etc/haproxy/certs/example.com.pem
openssl dhparam -out /etc/haproxy/dhparam.pem 2048

Step 2 – Config

global
    ssl-dh-param-file /etc/haproxy/dhparam.pem

frontend http-in
    bind *:80
    redirect scheme https code 301

frontend https-in
    bind *:443 ssl crt /etc/haproxy/certs/example.com.pem
    ssl-min-ver TLSv1.2
    alpn h2,http/1.1
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    default_backend webservers

backend webservers
    balance leastconn
    option  forwardfor
    http-request set-header X-Forwarded-Proto https
    server web1 192.168.1.10:80 check
    server web2 192.168.1.11:80 check

Step 3 – Reload

haproxy -c -f /etc/haproxy/haproxy.cfg && systemctl reload haproxy