SSL/TLS
Termination, offloading, and certificate management
Security
How to automate SSL/TLS certificate renewal with Let's Encrypt
How many engineers does it take to renew an SSL/TLS certificate? Several, you might joke. But you may not be far wrong!..
How-tos
How to master SSL termination in HAProxy: considerations and configurations
SSL/TLS termination is the most regularly implemented kind of SSL/TLS offload...
Security
Bolster your network with mTLS functionality from Loadbalancer.org
For Enterprise 8.9, Loadbalancer.org added a new SSL Terminator for HAProxy, allowing for mutual Transport Layer Security (mTLS) configurations...
How-tos
How to configure mTLS on a Loadbalancer.org appliance
If you're thinking about giving mTLS a go, why not try it for yourself by following the steps below...
Security
The pros and cons of offloading TLS/SSL encryption and decryption to your ADC
TLS encryption (formerly known as SSL encryption) is used to improve the safety of data exchanged over a network. But where should it sit in your network architecture?..
How-tos
How to create an SSL certificate in Linux
I thought I would try and cover the basics here by explaining how to create an SSL certificate and the various files that you'll end up with...
How-tos
When is it right to SSL offload?
It's a fair question, right? Let's take away the strain of SSL terminations from our application servers and let the load balancers deal with it. After all, why would we want to bog down our nifty application with network-level considerations?..
Integration
How to create a load balancer SSL/TLS certificates report
A customer asked me how to export a list of SSL/TLS certificate expiry dates from our load balancer appliance...
Security
How do I get an A+ from Qualys SSL, but keep FIPS compliance as well?
Is getting an A+ rating with the Qualys scanner starting to feel a bit like chasing a mythical unicorn? Every time you get close to catching and keeping the beast — it run's away and they change the rules again!..
Open source
Stunnel X-Forward-For (XFF) with HAProxy and the PROXY Protocol
By default, the source IP address of the packet reaching the web servers is the IP address of the load balancer and not the IP address of the client...
Security
Heartbleed 2.0? Not exactly but more OpenSSL issues have been found
Whilst the Heartbleed bug was relatively easy to exploit, the latest batch of bugs are not...
Security
Loadbalancer.org releases patch for the OpenSSL heartbleed vulnerability CVE-2014-0160
To ensure complete protection all SSL certificates that have been used with a vulnerable version of OpenSSL should be regenerated using a new private key...
Open source
SSL offload testing with HAProxy and Stunnel
There are a lot of SSL offload throughput statistics available for appliances across the internet but rarely do they detail the way they were tested...
Security
Secure Your Web Servers: SSL Termination and BEAST
The BEAST attack is a practical attack based on a protocol vulnerability and mainly affects the client side...
HAProxy
Transparent proxy of SSL traffic using Pound to HAProxy backend patch and how-to
I've previously blogged about how to get TPROXY and HAProxy working nicely together, but what if you want to terminate SSL traffic on the load balancer to use HAProxy to insert cookies in the standard HTTP stream to the backend servers?..