This topic describes steps to set up HAProxy as a reverse proxy for ISL Conference Proxy.
We have included a sample configuration file, tested with HAProxy 1.5.8.
The file myssl.bundle is a bundle file containing the appropriate certificate and the matching private key for the chosen DNS name (e.g. isl.example.com), modify appropriately.
You should adjust the list of supported ciphers to fit your requirements, values below are just an example.
Important: Make sure you modify the settings to match your requirements and your environment. Perform detailed connection and usage tests before placing such a server in production. Please refer to the HAProxy documentation for details.
Sample configuration file for HAProxy (haproxy.cfg):
global daemon maxconn 256 tune.ssl.default-dh-param 2048 defaults mode http timeout connect 5000ms timeout client 50000ms timeout server 50000ms option forwardfor frontend myhttp bind *:80 default_backend bk_http frontend myhttps bind *:443 ssl crt /etc/ssl/private/myssl.bundle ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH no-sslv3 default_backend bk_https backend bk_http balance roundrobin server s1 E.F.G.H:7620 maxconn 32 backend bk_https balance roundrobin server s1 E.F.G.H:7621 maxconn 32