Setting up HAProxy

install

dh parameters

    ls -lF /etc/haproxy/dhparms.pem # no exist
    openssl dhparam -out /etc/haproxy/dhparms.pem 2048
    chmod 400 /etc/haproxy/dhparms.pem

global

zcat /usr/share/doc/haproxy/configuration.txt.gz | less
cp -pi /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.dist
vi /etc/haproxy/haproxy.cfg

as long as we use clear-text within the DMZ, we are removing the calls for known CAs — there’s no need for an SSL trust store unless you are a CDN

    # clear-text internally - no need for those
    #ca-base /etc/ssl/certs
    #crt-base /etc/ssl/private

–or– in case you call SSL-enabled backends

    # we do call https backends internally
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

here’s a better ssl setup

# PFS key-exchange only
ssl-default-bind-ciphers ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-dh-param-file /etc/haproxy/dhparms.pem

listen stats

# reachable through internal network only
listen stats
        bind *:8404
        stats enable
        stats uri /
        stats refresh 5s
        # assuming 8404/tcp is not allowed publicly
        #stats admin if 10.0.0.0/8

defaults

we want your backends to know the client ip address

    option forwardfor

also this sometimes helps

    option http-server-close

sample reverse-proxy setup (no balancing) – notice we want your backends to know that HTTPS got handled

frontend kc-http
        bind *:80 alpn h2,http/1.1
        http-response set-header Strict-Transport-Security "max-age=16000000;"
        acl host_kc hdr(host) -i keycloak.nethence.com
        redirect scheme https code 301 if host_kc

frontend kc-https
        bind *:443 ssl crt /etc/haproxy/certs alpn h2,http/1.1
        http-response set-header Strict-Transport-Security "max-age=16000000;"
        acl host_kc hdr(host) -i keycloak.nethence.com
        use_backend kc-server if host_kc

backend kc-server
        #balance static-rr
    http-request set-header X-Forwarded-Proto https
        server keycloak 127.0.0.1:8081 check

as for ssl –either– generate a self-signed dummy cert –or– make sure genuine certs are in place as such

mkdir /etc/haproxy/certs/
cd /etc/haproxy/certs/
ls -lF keycloak.nethence.com.crt
ls -lF keycloak.nethence.com.crt.key

more options

# (frontend)
#bind *:443 ssl crt /etc/ssl/self.crt alpn h2,http/1.1
#bind *:443 ssl crt-list /etc/haproxy/certs.list alpn h2,http/1.1
#default_backend servers

usage

haproxy -f /etc/haproxy/haproxy.cfg -c -V

tail -F /var/log/haproxy.log

systemctl status haproxy
systemctl restart haproxy
journalctl -u haproxy.service --since today --no-pager

acceptance

attempt to reach the backends locally

curl -i TEST-SRV1
curl -i TEST-SRV2

attempt to reach the frontend remotely

nmap -p 80,443 HAPROXY-FACING-IP
nmap -p 80,443 HAPROXY-FACING-HOST

check redirects

curl -i SOME-SERVED-FQDN
curl -i HAPROXY-FACING-HOST
    curl -i HAPROXY-FACING-IP

check certificates

    openssl s_client -connect SOME-SERVED-FQDN:443 -servername SOME-SERVED-FQDN
curl -i https://SOME-SERVED-FQDN/
curl -ki https://HAPROXY-FACING-HOST/
curl -ki https://HAPROXY-FACING-IP/

troubleshooting

previous 'http-request' action is final and has no condition attached, further entries are NOOP.

==> keyword is “previous” here…

resources

https://www.haproxy.org/download/2.4/doc/configuration.txt

https://cbonte.github.io/haproxy-dconv/2.4/configuration.html

https://devdocs.io/haproxy~2.4/

https://www.haproxy.com/documentation/hapee/latest/onepage/

https://devdocs.io/haproxy~2.4/configuration

Setting up HAProxy

install

dh parameters

global

listen stats

defaults

usage

acceptance

troubleshooting

resources

setup

balance

certs & ssl

redirect

acls for vhosts

forwardfor

usage