Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/changelog.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).

Each revision is versioned by the date of the revision.

## 2026-07-06

- docs: Add a how-to guide for configuring the backend protocol.

## 2026-06-26

- docs: Add docs on the Terraform module.
Expand Down
45 changes: 45 additions & 0 deletions docs/how-to/configure-backend-protocol.md
Comment thread
Thanhphan1147 marked this conversation as resolved.
Comment thread
Thanhphan1147 marked this conversation as resolved.
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
myst:
html_meta:
"description lang=en": "Learn about how to configure the backend protocol to use HTTPS for connections."
---

(how_to_configure_backend_protocol)=
Comment thread
Thanhphan1147 marked this conversation as resolved.

# How to set the protocol to HTTPS for a backend application

By default, the HAProxy charm enforces HTTPS for connections from clients while communicating with backend applications over HTTP. In some scenarios, you may also want to use HTTPS as the communication protocol for connections between HAProxy and the backend applications.

To do so, HAProxy verifies the identity of the backend application against a set of trusted certificate authority (CA) certificates. These certificates are sent to the `haproxy` charm through the `receive-ca-certs` relation. Therefore, at least one `receive-ca-certs` relation is required before you can set the backend protocol to HTTPS.

This guide assumes that you have already deployed the `haproxy` charm and integrated it with a `haproxy-route` requirer. In this guide we use the [`ingress-configurator`](https://charmhub.io/ingress-configurator) charm as the requirer.

## Transfer the CA certificate of the backend application

Integrate the charm that provides the backend CA certificate with the `haproxy` charm through the `receive-ca-certs` relation. In this guide we use the `self-signed-certificates` charm as an example:

```sh
juju integrate haproxy:receive-ca-certs self-signed-certificates
```

Verify that the CA certificate has been transferred and written to the expected location on the HAProxy unit:

```sh
juju ssh haproxy/leader ls /var/lib/haproxy/cas
```

You should see the `cas.pem` file listed in the output.

## Configure the backend protocol

Set the `backend-protocol` configuration on the `ingress-configurator` charm to `https`:

```sh
juju config ingress-configurator backend-protocol=https
```

Once all charms have settled into an "Active" state, HAProxy establishes HTTPS connections to the backend application and verifies its identity using the transferred CA certificate.

## Verify the backend protocol

Send a request through HAProxy and confirm that you can still reach the backend application, and that the backend application is now terminating TLS.
1 change: 1 addition & 0 deletions docs/how-to/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ against vulnerabilities and attacks.
:maxdepth: 1
Enable DDoS Protection <enable-ddos-protection.md>
Protect a hostname using OpenID Connect <protect-hostname-spoe-auth.md>
Configure the backend protocol <configure-backend-protocol.md>
```

## Maintenance and development
Expand Down
2 changes: 1 addition & 1 deletion docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ This operator is built for **IaaS/VM** and is not supported in **Kubernetes** en
* - **Other supported protocols**
- {ref}`FTP <how_to_loadbalancing_for_an_ftp_server>` | {ref}`gRPC <how_to_loadbalancing_for_a_grpc_server>` | {ref}`HTTP/2 <reference_http2_support>`
* - **Security**
- {ref}`Overview <explanation_security>` | {ref}`Enable DDoS protection <how_to_enable_ddos_protection>` | {ref}`Protect a hostname <how_to_protect_hostname_spoe_auth>`
- {ref}`Overview <explanation_security>` | {ref}`Enable DDoS protection <how_to_enable_ddos_protection>` | {ref}`Protect a hostname <how_to_protect_hostname_spoe_auth>` | {ref}`Configure HTTPS backend protocol <how_to_configure_backend_protocol>`
```

## How this documentation is organized
Expand Down
Loading