I have been working on a multi-provider redundant load balancing solution using HAProxy, AWS, and Cloudflare. I have a solution, and I believe it will be secure, but I am looking for further validation on why it would be a terrible idea.
I have a load balancer set up on Cloudflare. This does a health check on an ELB in AWS, The ELB is public facing, and checks an instance on EC2 that has HAProxy installed. the EC2 and the ELB are in their own private VPC with their own private security group.
I want to test if the ELB is available from Cloudflare. I also want to log the health checks. It is interesting and valuable to me seeing what IP's access comes from.
I am aware that HAProxy offers a monitor-uri solution, and this works -- but it does not log requests. The docs say this is intentional, maybe because they do not want to flood logs with these checks.
I have tried to rewrite 503 requests using no backend, with an errorfile that has 200 OK in it. It always returns 503, which is understandable.
My solution
My approach makes use of http-request deny function. If I send a http-request deny deny_status 200 -- it will return 200. If HAProxy is down, it would not even get that far. So, the fact it would get so far is success.
To prevent against false positives, misleading, or dangerous activity I would specify to deny (deny status 401 --- or similar) any source that is not the ELB, using the AWS ELB DNS url. The security group would specify a custom port and allow only cloudflare IPs through. Protecting against unknown status-checkers; these wouldn't get passed or even into the ELB. This way the only way to get a 200 back from the status check was directly from the ELB on a specified port.
I have found that this way logs the health checks, and gives accurate results to the cloudflare load balancer. I am thinking that this is a secure setup, but is there a reason this wouldn't be? Am I missing a security issue here?
Possibly unrelated: those are a lot of IPs to whitelist from cloudflare, it makes me uneasy whitelisting so many IPs. As far as I know IPs shouldn't change, and they should belong to Cloudflare, and I should be able to trust them as it is there service. Am I worrying too much?
Please do not respond with alternate solutions, I am only concerned with the security and quality of this setup.
cloudflare IPs: cloudflare ip docs
haproxy deny: HAProxy http-request docs
