@prtlin wrote:
Hello community!
Running into a problem with configuration for one web app hosted on one of our public IPs. This app receives Http POST information over a port to receive information (8081), and issue commands over the established tls tunnels. (osquery reporting + TLS )
Our design logic is that we set up HA proxy to separate the reporting port vs http login port for admins(8080). Basically hide the admin port from public, and only allow traffic from public with the correct HTTP header to go to the report port, which redirects the traffic to the admin port.
So I am trying to set up this on a server to test with HAProxy. This is the code I have so far for configurations:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon# Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3
defaults
log global
mode tcp
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.httplisten fleet-canary
bind 0.0.0.0:8081
mode http
timeout connect 4000
timeout client 180000
timeout server 180000
server srv1 :8080frontend localhost
bind *:8081
option tcplog
mode tcp
default_backend nodesbackend nodes
mode tcp
balance roundrobin
option ssl-hello-chk
server web01 :8080 checkAny help is appreciated. Thanks a bunch
Posts: 1
Participants: 1