advanced haproxy settings

listen stats

# reachable through internal network only
listen stats
        bind *:8404
        stats enable
        stats uri /
        stats refresh 5s
        # assuming 8404/tcp is not allowed publicly already
        stats admin if 10.0.0.0/8

ssl backend

server ... ... check ssl verify none

basic auth - the right way

    userlist some-descr-users
        user USERNAME insecure-password CLEAR-TEXT-PASSWORD

basic auth - the wrong way (filtering)

as an auth firewall

        # exact match
        acl basic_auth_user hdr(Authorization) -m str "Basic BASE64-HERE"
        use_backend some-backend if basic_auth_user

resources

ssl backend

https://serverfault.com/questions/738045/haproxy-to-terminate-ssl-also-send-ssl-to-backend-server

advanced

https://www.peternijssen.nl/high-availability-haproxy-keepalived-aws/

https://www.nginx.com/blog/high-availability-nginx-plus-aws-keepalived-elastic-ip-address/

allow ip on stats

https://tecadmin.net/how-to-configure-haproxy-stats/

https://www.haproxy.com/documentation/haproxy-configuration-tutorials/core-concepts/acls/

https://stackoverflow.com/questions/78124874/set-acl-in-haproxy-based-on-client-ip-using-map-ip

https://marcelog.github.io/articles/restrict_block_acl_ip_address_haproxy_tcp.html

https://statuslist.app/uptime-monitoring/haproxy/haproxy-stats-page-guide/

https://discourse.haproxy.org/t/haproxy-1-6-with-sni-and-different-ssl-settings-per-hostname/698/2 –> split-up pathes


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Licensed under MIT