To secure connections on your server, you need to install an SSL certificate on your HAProxy instance. This ensures encrypted traffic between VergeCloud and your backend services. Because HAProxy commonly sits as the entry point in front of multiple backend applications, securing it with SSL is crucial for preventing sensitive data from being transmitted in plain text. When SSL is configured correctly, all communication between VergeCloud and your origin server is encrypted, meaning that even if traffic is intercepted, it cannot be read or modified by unauthorized users. Implementing SSL through HAProxy also provides authentication so that VergeCloud knows it is communicating with your legitimate server. This setup enhances both security and reliability, especially for applications where user data, API requests, or internal service communication must remain private.
You can use your own SSL certificate and private key or generate a free certificate from the SSL/TLS → Origin Server section in the VergeCloud dashboard. VergeCloud Origin SSL certificates are intended for securing the connection between VergeCloud and your backend, not for public browsers, which makes them ideal for private infrastructure. If you generate the certificate using VergeCloud, you will receive both the certificate file and the private key. These files must be handled carefully, particularly the private key, which must remain secret at all times. If the private key is exposed, an attacker could impersonate your server. This is why many administrators keep these files in protected directories and transfer them only through encrypted methods. Before moving forward, make sure you have securely downloaded these files and have verified that they are correctly matched. Reading the VergeCloud documentation on Origin SSL will also help you understand the validity period and renewal process so that you can maintain your SSL deployment without service disruption.
HAProxy requires the SSL certificate and private key to be combined into a single PEM-formatted file. This format allows HAProxy to access everything it needs in one place during the SSL handshake. To create this combined file, run the following command:
cat certificate.crt private.key > /etc/ssl/vergecloud/haproxy.pem
This command places the certificate first, followed by the private key. The order is important because HAProxy expects the certificate chain before the key. Once created, the resulting haproxy.pem file should be stored in a secure directory. The PEM file contains both the certificate and the key, which means it must be protected just as strictly as the private key itself. It is common to set restrictive file permissions immediately after creating the file to prevent unauthorized access
To enforce HTTPS, add the following frontend rule to your HAProxy configuration so that any HTTP requests are automatically redirected to the secure version of your site. This helps ensure that no unencrypted traffic accidentally reaches your backend.
frontend http-in
bind *:80
redirect scheme https code 301 if !{ ssl_fc }
This configuration listens on port 80 and issues a permanent redirect to HTTPS whenever the connection is not already secured. The redirect is important because many clients may initially attempt to access your site using HTTP, especially if they are following an old link or typing the domain manually. By enforcing HTTPS at the proxy level, you guarantee that every request eventually reaches the secure endpoint.
Next, update your main HAProxy configuration file located at /etc/haproxy/haproxy.cfg. Here, you will configure SSL binding for port 443 and define the backend service that HAProxy forwards traffic to. The basic configuration looks like this:
frontend https-in
bind *:443 ssl crt /etc/ssl/vergecloud/haproxy.pem
mode http
default_backend servers
backend servers
mode http
server app1 127.0.0.1:3000 check
The bind directive tells HAProxy to listen on port 443 using the SSL certificate stored in the PEM file you created earlier. The mode http setting ensures that HAProxy handles HTTP-level details correctly. The default_backend line sends requests to the backend block named servers. Inside that backend block, you define one or more application servers. In this example, traffic is forwarded to a local service running on port 3000. The check flag enables health checks so that HAProxy can determine whether the backend server is responding correctly. If you have multiple backend nodes, HAProxy can perform load balancing as well, but for simple setups, forwarding to a single local service is common.
After updating the configuration, test and reload HAProxy to apply the changes. Begin by checking for syntax errors using:
sudo haproxy -c -f /etc/haproxy/haproxy.cfg
If the test passes, reload the service with:
sudo systemctl reload haproxy
Reloading allows HAProxy to adopt the new SSL configuration without completely stopping active traffic. This makes it safe for production environments where downtime must be avoided.
After setup, test the certificate with:
openssl s_client -connect yourdomain.com:443
This command helps verify that HAProxy is serving the correct certificate and that the SSL handshake completes successfully. It allows you to inspect certificate details, check for misconfigurations, and confirm that the PEM file is being read correctly.