Solved HAproxy with SSL termination and failover

joel.bodenmann

Member

Reaction score: 9
Messages: 87

Hello folks,

I'm successfully running a HAproxy on a FreeBSD 11.1 machine with several web servers behind it. The HAproxy is doing SSL termination.
My goal is to setup a failover for this setup. I started reading about CARP and from what I've read that should definitely be possible and quite a common setup. But I have a big question: How does that work with SSL termination? I was unable to find any references to that. If I understand the process correctly then both HAproxy hosts will share the same IP and CARP will take care of all the management which basically boils down to that the active machine has the public IP that everybody uses to access the website(s). Therefore, if both HAproxy instances have the same SSL certs on their harddrives (ideally via some replication service) everything should work just fine. Is that correct?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 6,965
Messages: 28,952

Therefore, if both HAproxy instances have the same SSL certs on their harddrives (ideally via some replication service) everything should work just fine. Is that correct?
Yes, that's correct. I simply rsync(1) the certificates from one host to another.
 
Top