Monday 25 July 2016

Securing HAProxy - SSL/TLS Termination with HAProxy on CentOS

The following is an example configuration file that performs SSL/TLS securely (this can be verified through tools such as Qualys's SSL Server Tester):

global
    daemon
    maxconn 4000
    stats socket /var/run/haproxy.sock mode 600 level admin
    stats timeout 2m
    log 127.0.0.1 local2 notice
    user haproxy
    group haproxy
    daemon
    # Disable SSLv3 and Stateless Session Resumption (
    ssl-default-bind-options no-sslv3 no-tls-tickets
    # Explicitly define the available ciphers available for use with the server
    ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    # Ensure DH key size is 2048!
    tune.ssl.default-dh-param 2048

defaults
    log     global
    mode    http
    # Useful when long-lived sessions (e.g. mixed HTTP and WebSocket conneciton)
    timeout tunnel 1h
    # Amount of time before connection request is dropped
    timeout connect 5000ms
    # Amount of time before the connection is dropped while ewaiting for half-closed connection to finish
    timeout client-fin      50000ms
    # Amount of time before connection is dropped when waiting for client data response
    timeout client 50000ms
    # Amount of time before connection is dropped when waiting for server to reply.
    timeout server 50000ms
    # Amount of time before http-request should be completed
    timeout http-request 15s
    # Ensure the backend server connection is closed when request has completed - but leave client connection intact
    http-server-close
    # Enable HTTP logging
    option  httplog
    # Ensure we do not log null / empty requests
    option  dontlognull
    # Insert forward-for header into request to preserve origin ip
    option forwardfor
    # Error pages ln -s /usr/share/haproxy/ /etc/haproxy/errors
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

frontend https-in
    bind *:80
    # SSL binding and certs
    bind *:443 ssl crt /etc/haproxy/ssl/bundle.crt
    # Redirect any HTTP traffic to HTTPS
    redirect scheme https if !{ ssl_fc }
    log global
    default_backend webserver_pool
    http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
    http-response set-header X-Frame-Options DENY
    http-response set-header X-Content-Type-Options nosniff

backend webserver_pool
    mode http
    log global
    balance source
    cookie SERVERID insert indirect nocache
    # Perform get request
    option httpchk GET /WebApp/GetStatus.php
    # Check whether response is 200 / OK
    http-check expect status 200
    server serverA 10.0.0.1:80 check cookie serverA inter 5000 downinter 500
    server serverB 10.0.1.1:80 check cookie serverB inter 5000 downinter 500
    server serverB 10.1.1.1:80 check cookie serverB inter 5000 downinter 500

0 comments:

Post a Comment