TLS Passthrough with new port listening and RPC filtering

@prtlin wrote:

Hello community!

Running into a problem with configuration for one web app hosted on one of our public IPs. This app receives Http POST information over a port to receive information (8081), and issue commands over the established tls tunnels. (osquery reporting + TLS )

Our design logic is that we set up HA proxy to separate the reporting port vs http login port for admins(8080). Basically hide the admin port from public, and only allow traffic from public with the correct HTTP header to go to the report port, which redirects the traffic to the admin port.

So I am trying to set up this on a server to test with HAProxy. This is the code I have so far for configurations:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
defaults
log global
mode tcp
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

listen fleet-canary
bind 0.0.0.0:8081
mode http
timeout connect 4000
timeout client 180000
timeout server 180000
server srv1 :8080

frontend localhost
bind *:8081
option tcplog
mode tcp
default_backend nodes

backend nodes
mode tcp
balance roundrobin
option ssl-hello-chk
server web01 :8080 check

Any help is appreciated. Thanks a bunch

Posts: 1

Participants: 1

Read full topic

TLS Passthrough with new port listening and RPC filtering

Trending Articles

Airline boss fails to find sureties

Who died from the T.V. Show pawn stars ?? #pawnstars

Killer Peter Stark granted pass to leave prison

Black Angus Grilled Artichokes

Kundi Mat Khadkao Raja Lyrics Translation | Gabbar is Back

Problemas al unir un nodo al cluster entre sitios? Problema Resuelto!!

[SG News]Lady Who Shot Sexy Photos Of Herself At HDB Flats Is Exposed As Natalie

1981-Depeche Mode - Speak & Spell multichannel WAV RE UP

Cecil Smith Has Taken His Life, After Being the Subject of Conspiracy...

[GET] James Smith – Starter Kit Bundle ($199.00)

Police helicopter searches for Crawley suspect who made off from...

How to delete a request from a database table in a debug mode

自動マウントを無効に設定したシステムにて Windows Server バックアップが失敗する場合の対応について

High police presence reported in Broadfield including helicopter

AOMEI Backupper is in progress, please wait

Mahanoy Area board sets new graduation date

Scunthorpe teen jailed for raping woman as she slept & taking...

Issues installing KB2533623 on Windows Server 2008 R2 SP1 64-Bit

Practice Sheet of Right form of verbs for HSC Students

Head Games, ChiTown Style: Operation Headache Crashed Larry Hoover’s Gangster...