Title: Using haproxy for TLS layer
       Author: Solène
       Date: 07 March 2019
       Tags: openbsd
       Description: 
       
       This article explains how to use haproxy to add a TLS layer to any TCP
       protocol. This includes http or gopher. The following example explains
       the minimal setup required in order to make it work, haproxy has a lot
       of options and I won't use them.
       
       The idea is to let haproxy manage the TLS part and let your http server
       (or any daemon listening on TCP) replying within the wrapped
       connection.
       
       
       You need a simple haproxy.cfg which can looks like that:
       
           defaults
                   mode    tcp
                   timeout client 50s
                   timeout server 50s
                   timeout connect 50s
       
                   bind *:7000 ssl crt /etc/ssl/certificat.pem
                   default_backend gopher
       
                   server gopher 127.0.0.1:7070 check
       
       The idea is that it waits on port 7000 and will use the file
       **/etc/ssl/certificat.pem** as a certificate, and forward requests to
       the
       backend on 127.0.0.1:7070. **That is ALL**. If you want to do https,
       you need
       to listen on port 443 and redirect to your port 80.
       
       The PEM file is made from the privkey concatenated with the fullchain
       certificate. If you use a self signed certificate, you can make it with
       the
       following command:
       
           cat secret.key certificate.crt > cert.pem
       
       One can use a folder with PEM certificates files inside instead of
       using a
       file. This will allow haproxy to receive connections for ALL the
       certificates
       loaded.
       
       For more security, I recommend using the chroot feature and a dh file
       but it's
       out of the current topic.