2. HAProxy and SSL Termination

2. HAProxy and SSL Termination
Prev	Chapter 3. Operations	Next

In production, it is common practice to terminate SSL/TLS connections at a reverse proxy rather than in the application server itself. This approach offloads the computational overhead of encryption to dedicated infrastructure, simplifies certificate management, and allows the backend server to operate over plain (unencrypted) WebSocket connections. HAProxy is a widely used, high- performance reverse proxy that supports WebSocket connections natively.

A typical deployment places HAProxy in front of one or more VRTQL WebSocket servers. HAProxy accepts incoming wss:// connections from clients, terminates the SSL/TLS session, and forwards the traffic to the backend server as plain ws:// connections. The VRTQL server binds to 127.0.0.1 on a non-public port, and only HAProxy is exposed to the public network.

The following is a minimal HAProxy configuration that demonstrates this setup:

global
    maxconn 4096

defaults
    mode    http
    timeout connect  5s
    timeout client  30s
    timeout server  30s
    timeout tunnel  3600s

frontend wss_frontend
    bind *:443 ssl crt /etc/ssl/private/server.pem
    default_backend ws_backend

backend ws_backend
    server vrtql1 127.0.0.1:8181 check

The key configuration directives are as follows:

The bind *:443 ssl crt directive in the frontend section tells HAProxy to listen on port 443 and terminate SSL using the specified certificate file. The certificate file should contain both the certificate and private key in PEM format.
The timeout tunnel directive is critical for WebSocket connections. Unlike standard HTTP requests which are short-lived, WebSocket connections are long-lived. This timeout governs how long HAProxy will keep an idle tunnel (upgraded connection) open. Set it to a value appropriate for your application — 3600 seconds (one hour) is a reasonable starting point.
The backend server directive points to the VRTQL server's host and port. The check option enables health checks.

For deployments with multiple backend servers, HAProxy can load-balance across them:

backend ws_backend
    balance roundrobin
    server vrtql1 127.0.0.1:8181 check
    server vrtql2 127.0.0.1:8182 check
    server vrtql3 127.0.0.1:8183 check

Note that WebSocket connections are stateful, so sticky sessions (session affinity) may be required depending on your application's design. You can enable this in HAProxy using cookies or source IP hashing via the balance source directive.