Setting up HAProxy

Install

grab the latest available LTS release for your distribution

ls -lF /usr/share/keyrings/haproxy.debian.net.gpg # no exist
ls -lF /etc/apt/sources.list.d/haproxy.list # no exist

which gpg
which gpg1

#apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 95A42FE8353525F9
curl -s https://haproxy.debian.net/bernat.debian.org.gpg | gpg --dearmor > /usr/share/keyrings/haproxy.debian.net.gpg

echo "deb [signed-by=/usr/share/keyrings/haproxy.debian.net.gpg]" \
    http://haproxy.debian.net buster-backports-2.4 main \
    > /etc/apt/sources.list.d/haproxy.list

apt update
apt install haproxy=2.4.\* vim-haproxy

grep ^haproxy /etc/group
grep ^haproxy /etc/passwd

DH parameters

ls -lF /etc/ssl/dhparms.pem # no exist
openssl dhparam -out /etc/ssl/dhparms.pem 2048
chmod 444 /etc/ssl/dhparms.pem

and eventually generate a self-signed dummy cert.

Setup

we are removing the calls for known CAs, there’s no need for an SSL trust store unless you are a CDN

zcat /usr/share/doc/haproxy/configuration.txt.gz | less
cp -pi /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.dist
vi /etc/haproxy/haproxy.cfg

global
    ...
    # PFS key-exchange only
    ssl-default-bind-ciphers ECDHE:DHE:kGOST:!aNULL:!eNULL:!RC4:!MD5:!3DES
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
    ssl-dh-param-file /etc/haproxy/dhparms.pem

defaults
    ...

frontend http
    bind *:80 alpn h2,http/1.1
    http-response set-header Strict-Transport-Security "max-age=16000000;"
    redirect scheme https code 301

frontend https
    bind *:443 ssl crt /etc/ssl/self.crt alpn h2,http/1.1
    #bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
    #bind *:443 ssl crt-list /etc/haproxy/YOUR-FILE.list alpn h2,http/1.1
    http-response set-header Strict-Transport-Security "max-age=16000000;"
    default_backend servers

backend servers
        balance leastconn
    server TEST-SRV1 TEST-SRV1:80 check
    server TEST-SRV2 TEST-SRV2:80 check

Usage

haproxy -c -f /etc/haproxy/haproxy.cfg
# -V

tail -F /var/log/haproxy.log

systemctl status haproxy
systemctl restart haproxy
journalctl -u haproxy.service --since today --no-pager

Acceptance

attempt to reach the backends locally

curl -i TEST-SRV1
curl -i TEST-SRV2

attempt to reach the frontend remotely

nmap -p 80,443 HAPROXY-FACING-IP
nmap -p 80,443 HAPROXY-FACING-HOST

check redirects

curl -i SOME-SERVED-FQDN
curl -i HAPROXY-FACING-HOST
    curl -i HAPROXY-FACING-IP

check certificates

    openssl s_client -connect SOME-SERVED-FQDN:443 -servername SOME-SERVED-FQDN
curl -i https://SOME-SERVED-FQDN/
curl -ki https://HAPROXY-FACING-HOST/
curl -ki https://HAPROXY-FACING-IP/

TODO

• what is the difference between the curve and ssl-default-bind-curves directive?
• what choices are there e.g. X25519:P-256 which differs from the openssl naming

Additional notes

in case you want your backends to know that HTTPS got handled

http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }

Resources

Configuration Manual https://www.haproxy.org/download/2.4/doc/configuration.txt

Configuration Manual https://cbonte.github.io/haproxy-dconv/2.4/configuration.html

Starter Guide https://devdocs.io/haproxy~2.4/

HAPEE-LB Configuration Manual https://www.haproxy.com/documentation/hapee/latest/onepage/

Configuration Manual https://devdocs.io/haproxy~2.4/configuration

install

Debian/Ubuntu HAProxy packages https://haproxy.debian.net/

setup

Starter Guide http://cbonte.github.io/haproxy-dconv/2.5/intro.html

Starter Guide https://cbonte.github.io/haproxy-dconv/2.4/intro.html

The Four Essential Sections of an HAProxy Configuration https://www.haproxy.com/blog/the-four-essential-sections-of-an-haproxy-configuration/

Configuration Manual https://www.haproxy.org/download/2.4/doc/configuration.txt

Configuration Manual https://cbonte.github.io/haproxy-dconv/2.4/configuration.html

HAProxy Setup https://github.com/klzgrad/naiveproxy/wiki/HAProxy-Setup

setup – logs

What is the meaning of these HAProxy configuration lines? https://serverfault.com/questions/937035/what-is-the-meaning-of-these-haproxy-configuration-lines

Introduction to HAProxy Logging https://www.haproxy.com/blog/introduction-to-haproxy-logging/

balance

HAProxy Configuration Basics: Load Balance Your Servers https://www.haproxy.com/blog/haproxy-configuration-basics-load-balance-your-servers/

Load Balancing https://www.haproxy.com/documentation/hapee/latest/load-balancing/

An Introduction to HAProxy and Load Balancing Concepts https://www.digitalocean.com/community/tutorials/an-introduction-to-haproxy-and-load-balancing-concepts

health check

Health Checking https://www.haproxy.com/documentation/hapee/latest/load-balancing/health-checking/ ==> simply check

Announcing HAProxy 2.2 https://www.haproxy.com/blog/announcing-haproxy-2-2/ ==> Health Check Overhaul

HAProxy load balancer. Part 2: Backend section and the algorithms https://d2c.io/post/haproxy-load-balancer-part-2-backend-section-algorithms

HA Proxy - roundrobin vs leastconn https://serverfault.com/questions/457506/ha-proxy-roundrobin-vs-leastconn

certs

Using SSL Certificates with HAProxy https://serversforhackers.com/c/using-ssl-certificates-with-haproxy

HAProxy SSL Termination https://www.haproxy.com/blog/haproxy-ssl-termination/

crt http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt

crt-list https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-crt-list

Configure multiple SSL certificates in Haproxy https://serverfault.com/questions/560978/configure-multiple-ssl-certificates-in-haproxy

HAProxy to terminate SSL also send SSL to backend server https://serverfault.com/questions/738045/haproxy-to-terminate-ssl-also-send-ssl-to-backend-server ==> ssl backend

redirect

Redirect HTTP to HTTPS with HAProxy https://www.haproxy.com/blog/redirect-http-to-https-with-haproxy/

HAProxy redirecting http to https (ssl) https://stackoverflow.com/questions/13227544/haproxy-redirecting-http-to-https-ssl

HAProxy and HTTP Strict Transport Security (HSTS) https://www.haproxy.com/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/

acls for vhosts

Introduction to HAProxy ACLs https://www.haproxy.com/blog/introduction-to-haproxy-acls/

Routing Multiple Domains using HAProxy (HTTP and HTTPS) https://blog.entrostat.com/routing-multiple-domains-using-haproxy-http-and-https-ssl/ ==> separate binds (not that useful when you have ACLs)

advanced

High Availability with HAProxy and Keepalived in AWS https://www.peternijssen.nl/high-availability-haproxy-keepalived-aws/

High Availability for NGINX Plus on AWS with keepalived and Elastic IP Address https://www.nginx.com/blog/high-availability-nginx-plus-aws-keepalived-elastic-ip-address/

Dynamic SSL Certificate Storage in HAProxy https://www.haproxy.com/blog/dynamic-ssl-certificate-storage-in-haproxy/

dhparms

HAproxy SSL/TLS Warning: Setting tune.ssl.default-dh-param to 1024 by default https://www.digitalocean.com/community/tutorials/haproxy-ssl-tls-warning-setting-tune-ssl-default-dh-param-to-1024-by-default

Common HAProxy Errors https://www.digitalocean.com/community/tutorial_series/common-haproxy-errors

How To Troubleshoot Common HAProxy Errors https://www.digitalocean.com/community/tutorials/how-to-troubleshoot-common-haproxy-errors

Haproxy 2.x openssl/libressl issues with curves bind option (Opnsense) #366 https://github.com/haproxy/haproxy/issues/366

usage

Validate haproxy.cfg https://stackoverflow.com/questions/39609178/validate-haproxy-cfg

from source

Haproxy TLS configuration https://serverfault.com/questions/941762/haproxy-tls-configuration/941812