1. Encrypting HAProxy connections
LeanXcale recommends HAProxy version 2.3 which is the last stable version and provides TLS v1.2 using a certificate.
To configure HAProxy to encrypt the Query Engine connections, it is needed to have a certificate. This certificate can be provided by a Certificate Authority or a self-signed certificate. To configure HAProxy to encode the messages, it is necessary to add the property SECURE_COMMUNICATION_HAP specifying the certificate in the [all:vars] section of the inventory file.
SECURE_COMMUNICATION_HAP = {"certificate": "/home/ubuntu/lxs/conf/server.pem"}We provide the following bash commands to create a self-signed certificate.
# Generate new private/public key pair if a trusted pair from a trusted CA is not available
# Option -nodes enable HAProxy run up without prompting for a password
$ openssl req -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -keyout private.key -out client.crt -subj "/CN=leanxcale.com/OU=ITDep/O=LeanXcale/L=Madrid/ST=Madrid/C=ES" -addext "subjectAltName=DNS:leanxcale.com,DNS:localhost,IP:127.0.0.1"
# Bundle Private_Key/Public_certificate into server.pem
$ cat private.key client.crt > server.pem