HAProxy with SSL, without root and no OpenSSL installed?

So you have an account as a regular linux user and you want to install HAProxy with SSL on a system that doesn’t have OpenSSL.

To make matters worst you don’t have glibc-static so you can only build OpenSSL as a shared library but, as a regular user, you can’t place that library in the /lib nor in the /usr/lib directories.

The steps to get this to work are:

  1. download both HAProxy and OpenSSL source code
  2. configure, make and install both HAProxy and OpenSSL
  3. make bash assume a local folder as a shared libraries folder

If things go wrong just use make clean to go back to default state.

a) Create the following directories:
~/openssl-src, to put OpenSSL downloaded source code
~/openssl-bin, to put compiled OpenSSL binaries
~/haproxy, to put HAProxy source code and build the binary
~/lib, folder that will have symlinks to shared libraries

b) Download and unzip source code:
Latest OpenSSL unzip to ~/openssl-src
Latest HAProxy unzip to ~/haproxy

c) Compile and Install OpenSSL
Go to the OpenSSL source directory and run the following commands:

The -j $(nproc) flag allows make to parallelize tasks to the number of available processors. make install_sw installs OpenSSL to the folder specified with --prefix.

d) Create HAProxy binary
Just run the following command to build HAProxy with SSL and GZIP support.

e) Link shared libraries
If you try to run ./haproxy now you’ll get this error:

./haproxy: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory

So in order to make bash load libraries from your own custom folder edit .bashrc and insert the following line:

And then change directory to the created lib folder with cd ~\lib and make symlinks of the required ssl libraries. Namely:

Done! You can now spin up the haproxy binary.

You may want to explore more on how to setup SSL for internal services or even how to configure HAProxy for SSL termination.

Leave a Reply

Your email address will not be published. Required fields are marked *