This repo contains a HAProxy config to start a local proxy redirecting http requests as https with or without client certificate and BrainpoolP256r1 elliptic curve.
Configs are as small as possible, just to show how it is working on your local machine. To make sure to not open security holes on productive servers, check out the HAProxy documentation (e.g. add special user and group for HAProxy).
HAProxy is an open source reliable, high performance tcp/http load balancer similar to nginx (but with the option to set client tls elliptic curve)
- Linux (ubuntu):
sudo apt install haproxy - MacOS:
brew install haproxyusing (homebrew) - Windows via WSL (ubuntu):
sudo apt install haproxy(WSL2 with ubuntu) - Windows via custom .exe: https://github.com/xjoker/HAProxyForWindows/releases, e.g.
haproxy-3.2.3-win64.zip(do not use the nolib versions)
HAProxy is using OpenSSL to establish connection. Make sure OpenSSL is installed in a version supporting BrainpoolP algorithms
- Linux (ubuntu):
sudo apt install openssl - MacOS:
brew install openssl - Windows via WSL: same as for Linux (ubuntu)
- Windows via custom .exe: should be bundled inside the exe
openssl ecparam -list_curves | grep brainpoolshould output something likebrainpoolP256r1: RFC 5639 curve over a 256 bit prime field
If you have a client certificate for the TLS-Connection you need to make sure that it is a .pem file without a password.
To transform a .p12|pfx file with password to a .pem file without a password, use the following commands (replace client.pfx, client.crt, client.key, client.pem with your paths/filenames):
# Extract the certificate
openssl pkcs12 -in client.pfx -clcerts -nokeys -out client.crt -legacy
# Extract the private key (will prompt for passphrase)
openssl pkcs12 -in client.pfx -nocerts -nodes -out client.key -legacy
# Combine both files in one pem
cat client.crt client.key > client.pemconfigs/haproxy.cfg: a basic HAProxy conf- defines redirects from http on port 8082 (can be changed) to https with client authentication on your backend
- additional defines redirects from ldaps to ldaps (just to show that it is possible, remove it, if not needed) with client authentication on your backend
- replace all:
[BACKEND_IP_DOMAIN]with your domain/IP[CLIENT_CERTIFICATE_PATH]with your client certificate in .pem format without password- without a certificate remove occurences of
crt [CLIENT_CERTIFICATE_PATH] - change the binding ports if needed (8082, 636)
configs/openssl.cnf: base openssl config- just adds brainpoolp256r2 to allowed curves
Curves = brainpoolP256r1:X25519:P-256 - adapt if needed
- just adds brainpoolp256r2 to allowed curves
Now start HAProxy with the configs.
Linux ubuntu, MacOS, Windows via WSL
sudo OPENSSL_CONF=[PATH_OPENSSL.cnf] haproxy -f [PATH_HAProxy.cfg] -dWindows custom .exe
SET OPENSSL_CONF=[PATH_OPENSSL.cnf]
haproxy.exe -f [PATH_HAProxy.cfg] -dReplace [PATH_OPENSSL.cnf] with the path to your openssl.cnf and [PATH_HAProxy.cfg] with the path to your haproxy.cfg.
Sometimes HAProxy is already running as service after installation. Stop it, if it is already running (e.g. linux ubuntu systemctl disable --now haproxy).
Send a request or if you have a testable endpoint open a browser with http://localhost:[HTTP_PORT]/[PATH] (replace [HTTP_PORT] defined in your haproxy.cfg, e.g. 8082, replace [PATH] with your backend endpoint/route)