Setting up HAProxy

install

requirements

–either– generate a self-signed dummy cert –or– make sure genuine certs are in place as such

#mkdir /etc/haproxy/certs/
cd /etc/haproxy/certs/
ls -lF keycloak.demo.nethence.com.crt
ls -lF keycloak.demo.nethence.com.crt.key

setup

zcat /usr/share/doc/haproxy/configuration.txt.gz | less
cp -pi /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.dist
vi /etc/haproxy/haproxy.cfg

as long as we use clear-text within the DMZ, we are removing the calls for known CAs — there’s no need for an SSL trust store unless you are a CDN

    # clear-text internally - no need for those
    #ca-base /etc/ssl/certs
    #crt-base /etc/ssl/private

–or– in case you call SSL-enabled backends

    # we do call https backends internally
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

here’s a better ssl setup

# PFS key-exchange only
ssl-default-bind-ciphers ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-dh-param-file /etc/haproxy/dhparms.pem

stats setup

# reachable through internal network only
listen stats
        bind *:8404
        stats enable
        stats uri /
        stats refresh 5s
        # assuming 8404/tcp is not allowed publicly
        #stats admin if 10.0.0.0/8

we want your backends to know the client ip address

    #errorfile ...
    option forwardfor
    option http-server-close

sample reverse-proxy setup (no balancing) – notice we want your backends to know that HTTPS got handled

frontend kc-http
        bind *:80 alpn h2,http/1.1
        http-response set-header Strict-Transport-Security "max-age=16000000;"
        acl host_kc hdr(host) -i keycloak.demo.nethence.com
        redirect scheme https code 301 if host_kc

frontend kc-https
        bind *:443 ssl crt /etc/haproxy/certs alpn h2,http/1.1
        http-response set-header Strict-Transport-Security "max-age=16000000;"
        acl host_kc hdr(host) -i keycloak.demo.nethence.com
        use_backend kc-server if host_kc

backend kc-server
        #balance static-rr
    http-request set-header X-Forwarded-Proto https
        server dnc-keycloak 10.1.0.19:8080 check

more options

# (frontend)
#bind *:443 ssl crt /etc/ssl/self.crt alpn h2,http/1.1
#bind *:443 ssl crt-list /etc/haproxy/certs.list alpn h2,http/1.1
#default_backend servers

usage

haproxy -c -f /etc/haproxy/haproxy.cfg

tail -F /var/log/haproxy.log

systemctl status haproxy
systemctl restart haproxy
journalctl -u haproxy.service --since today --no-pager

acceptance

attempt to reach the backends locally

curl -i TEST-SRV1
curl -i TEST-SRV2

attempt to reach the frontend remotely

nmap -p 80,443 HAPROXY-FACING-IP
nmap -p 80,443 HAPROXY-FACING-HOST

check redirects

curl -i SOME-SERVED-FQDN
curl -i HAPROXY-FACING-HOST
    curl -i HAPROXY-FACING-IP

check certificates

    openssl s_client -connect SOME-SERVED-FQDN:443 -servername SOME-SERVED-FQDN
curl -i https://SOME-SERVED-FQDN/
curl -ki https://HAPROXY-FACING-HOST/
curl -ki https://HAPROXY-FACING-IP/

TODO

what is the difference between the curve and ssl-default-bind-curves directive?
what choices are there e.g. X25519:P-256 which differs from the openssl naming