Shawn, That is very helpful and provided some insight I hadn't considered which will definitely help moving forward. Thank you!
Dan. -----Original Message----- From: Shawn Heisey <hapr...@elyograg.org> Sent: Friday, March 18, 2022 8:06 PM To: haproxy@formilux.org Subject: [EXTERNAL] Re: Self-signed cert at haproxy, formal cert on backend web server ***CAUTION***This message came from an EXTERNAL address (haproxy+bounces-51802-dan.moore=treas.nj....@formilux.org). DO NOT click on links or attachments unless you know the sender and the content is safe. Suspicious? Forward the message to spamrep...@cyber.nj.gov. On 3/18/2022 9:28 AM, Moore, Dan [TREAS] wrote: > This all works except the client browser is showing the connection as > insecure. Would a formal > certificate at haproxy fix this or is there another way to keep the browser > happy using the > self-signed cert? The config I'm using is below. Thanks! Yes, you need a real cert signed by a public CA on whatever users actually connect to with https, in this case it's haproxy. On your setup, the end user will never see the certificate on the backend server, they will only see the certificate that haproxy gives them. The place to use a self-signed certificate is on the backend servers. There is an option for haproxy to have it not validate the certificate chain, I can't remember what it is. I've worked hard on my setup to eliminate the need for SSL on the backend. It was only recently that I figured out how to accomplish this on all my sites. Wordpress and a WSGI application called dnote were the ones that I had the hardest time configuring to force https even though the connection to Apache is unencrypted. Once I figured out how to configure those applications, I was able to completely eliminate the SSL virtualhosts from my Apache configuration, and haproxy talks to Apache on localhost port 81. TL;DR: The way I got the wsgi application to force https was with this directive in the Apache virtualhost: WSGITrustedProxyHeaders X-Forwarded-For X-Forwarded-Proto Thanks, Shawn
