Ansible HAProxy Role for Debian Wheezy

This role achieves a good level of SSL security as tested by SSLLabs.

In your playbook you need the following variables:

app_name: my-app
ssl_certificate: <full SSL chain including key>
haproxy:
  backends: "{{ groups['production'] }}"

Added SSL certificate to Vault

The vault seems to be a good place to securely store your cert. To do this you need to include it using multi-line syntax... this looks like:

ssl_certificate: |
  -----BEGIN CERTIFICATE-----
  REST OF CERT...

Limitations

This role only works with Debian Wheezy for time being.

SSL is forced for all connections.

haproxy.backends specifies a group in your hosts. This entire group becomes your front-ends and looks for resulting server on eth1 on port specified by backend_port. We use rackspace a lot and eth1 is the internal network.

Nginx must be running on port 8080 as the backend.

Results

It's worth checking results with SSL labs, but this should achieve A+ rating with good browser support.