Setting up HAProxy

Install

see haproxy-install

Setup

we are removing the calls for known CAs, there’s no need for an SSL trust store unless you are a CDN

zcat /usr/share/doc/haproxy/configuration.txt.gz | less
cp -pi /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.dist
vi /etc/haproxy/haproxy.cfg
global
        #log /dev/log local0
    log 127.0.0.1 local0
    ...

    # PFS key-exchange only
    ssl-default-bind-ciphers ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
    ssl-dh-param-file /etc/haproxy/dhparms.pem

defaults
    ...

# reachable through internal network only
listen stats
        bind *:8404
        stats enable
        stats uri /
        stats refresh 5s
        # assuming 8404/tcp is not allowed publicly
        #stats admin if 10.0.0.0/8

frontend http
    bind *:80 alpn h2,http/1.1
    http-response set-header Strict-Transport-Security "max-age=16000000;"
    redirect scheme https code 301

frontend https
    bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
    http-response set-header Strict-Transport-Security "max-age=16000000;"
        acl host_lbs1 hdr(host) -i FQDN-HERE
        use_backend servers if host_lbs1

backend servers
    balance leastconn
    server TEST-SRV1 TEST-SRV1:80 check
    server TEST-SRV2 TEST-SRV2:80 check

more options

# (frontend)
#bind *:443 ssl crt /etc/ssl/self.crt alpn h2,http/1.1
#bind *:443 ssl crt-list /etc/haproxy/infra-realm.list alpn h2,http/1.1
#default_backend servers

Usage

haproxy -c -f /etc/haproxy/haproxy.cfg
# -V

tail -F /var/log/haproxy.log

systemctl status haproxy
systemctl restart haproxy
journalctl -u haproxy.service --since today --no-pager

Acceptance

attempt to reach the backends locally

curl -i TEST-SRV1
curl -i TEST-SRV2

attempt to reach the frontend remotely

nmap -p 80,443 HAPROXY-FACING-IP
nmap -p 80,443 HAPROXY-FACING-HOST

check redirects

curl -i SOME-SERVED-FQDN
curl -i HAPROXY-FACING-HOST
    curl -i HAPROXY-FACING-IP

check certificates

    openssl s_client -connect SOME-SERVED-FQDN:443 -servername SOME-SERVED-FQDN
curl -i https://SOME-SERVED-FQDN/
curl -ki https://HAPROXY-FACING-HOST/
curl -ki https://HAPROXY-FACING-IP/

TODO

Additional notes

in case you want your backends to know that HTTPS got handled

http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }

Resources

https://www.haproxy.org/download/2.4/doc/configuration.txt

https://cbonte.github.io/haproxy-dconv/2.4/configuration.html

https://devdocs.io/haproxy~2.4/

https://www.haproxy.com/documentation/hapee/latest/onepage/

https://devdocs.io/haproxy~2.4/configuration

setup

https://www.haproxy.com/documentation/

https://www.haproxy.com/documentation/haproxy-configuration-tutorials/

http://cbonte.github.io/haproxy-dconv/2.5/intro.html

https://cbonte.github.io/haproxy-dconv/2.4/intro.html

https://www.haproxy.com/blog/the-four-essential-sections-of-an-haproxy-configuration/

https://www.haproxy.org/download/2.4/doc/configuration.txt

https://cbonte.github.io/haproxy-dconv/2.4/configuration.html

https://github.com/klzgrad/naiveproxy/wiki/HAProxy-Setup

balance

https://www.haproxy.com/blog/haproxy-configuration-basics-load-balance-your-servers/

https://www.haproxy.com/documentation/hapee/latest/load-balancing/

https://www.digitalocean.com/community/tutorials/an-introduction-to-haproxy-and-load-balancing-concepts

certs

https://serversforhackers.com/c/using-ssl-certificates-with-haproxy

https://www.haproxy.com/blog/haproxy-ssl-termination/

http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt

https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-crt-list

https://serverfault.com/questions/560978/configure-multiple-ssl-certificates-in-haproxy

https://serverfault.com/questions/738045/haproxy-to-terminate-ssl-also-send-ssl-to-backend-server ==> ssl backend

https://www.haproxy.com/blog/dynamic-ssl-certificate-storage-in-haproxy/

https://serverfault.com/questions/561479/haproxy-multihost-with-ssl-acl/604923

redirect

https://www.haproxy.com/blog/redirect-http-to-https-with-haproxy/

https://stackoverflow.com/questions/13227544/haproxy-redirecting-http-to-https-ssl

https://www.haproxy.com/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/

https://stackoverflow.com/questions/68122868/haproxy-url-redirect

acls for vhosts

https://www.haproxy.com/blog/introduction-to-haproxy-acls/

https://blog.entrostat.com/routing-multiple-domains-using-haproxy-http-and-https-ssl/ ==> separate binds (not that useful when you have ACLs)

usage

https://stackoverflow.com/questions/39609178/validate-haproxy-cfg

advanced

https://www.peternijssen.nl/high-availability-haproxy-keepalived-aws/

https://www.nginx.com/blog/high-availability-nginx-plus-aws-keepalived-elastic-ip-address/


https://discourse.haproxy.org/t/haproxy-1-6-with-sni-and-different-ssl-settings-per-hostname/698/2 –> split-up pathes


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun