I have an application behind haproxy with two different clients:
client 1 uses TLS 1.2/1.3 to connect to backend /photo-app/
client 2 can only use TLS 1.0 to connect to backend /photo-app/scan/
In order to support both clients, the application is forced to allow TLSv1 connections. This shows up as a vulnerability from standard website scans (using tools such as testssl.sh or SSL Labs). I am stuck with client 2 for the time being and I cannot change the URL or protocols/ciphers they use to connect. This is a legacy integration I am working to retire.
My current haproxy frontend implementation does properly reject client 1 non-secure requests, but that only happens after SSL termination. The goal is to also show that /photo-app/ is not vulnerable to TLS 1.1 and below.
I found a post that solves a related problem here. Unfortunately, I am unable to distinguish the two clients based on SNI, since they are the same.
This is what I have so far, but I have been unable to make client 2 requests work when trying to route on TLS version.
global
log /dev/log local0 debug
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options no-sslv3 no-tls-tickets
# https://datatracker.ietf.org/doc/html/rfc7919
ssl-dh-param-file /usr/local/etc/haproxy/ffdhe2048.dhe
defaults
log global
mode http
balance roundrobin
option dontlognull
timeout http-keep-alive 5s
timeout http-request 10s
timeout client 10s
timeout connect 5s
timeout server 10m
timeout check 5s
default-server inter 30s
default-server rise 2
default-server fall 2
compression algo gzip
compression type text/html text/css text/javascript application/javascript
frontend http
bind *:80
http-request redirect scheme https if !{ ssl_fc }
frontend https
bind *:443
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend recirc_client2 if { WHAT-GOES-HERE? }
default_backend recirc_default
backend recirc_client2
mode tcp
server loopback-for-tls abns@haproxy-client2 send-proxy-v2
backend recirc_default
mode tcp
server loopback-for-tls abns@haproxy-default send-proxy-v2
frontend client2
option httpslog
option forwardfor
bind abns@haproxy-client2 accept-proxy ssl crt /usr/local/etc/haproxy/photo-app.net.pem ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA
acl url-photoapp-scan path_beg /photo-app/scan
http-request deny if !url-photoapp-scan
http-request add-header X-Forwarded-Proto https
default_backend photoapp
frontend default
option httpslog
option forwardfor
bind abns@haproxy-default accept-proxy ssl crt /usr/local/etc/haproxy/photo-app.net.pem ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
acl is-supported-tls ssl_fc_protocol TLSv1.2 TLSv1.3
acl url-photoapp-scan path_beg /photo-app/scan
acl url-photoapp path_beg /photo-app
http-request deny if !is-supported-tls !url-photoapp-scan
http-request add-header X-Forwarded-Proto https
http-response set-header Strict-Transport-Security "max-age=63072000"
default_backend photoapp
backend photoapp
option httpchk GET /photo-app/health-check/
server 1 10.72.100.1:8100 check cookie 1
server 2 10.72.100.2:8100 check cookie 2
cookie JSESSIONID prefix nocache
2 posts - 1 participant