I have two machines and a HAProxy machine doing SSL termination and accepting client certs successfully. How can I configure HAProxy to ensure that the messages coming into the API box are from HAProxy itself, and not from a third party?
These machines are in the same subnet.
HAProxy does not (as I can see in the stable 1.5 release) allow any way for me to perform a concatenate and hash - i.e. I can not make a header that is
SHA1( CONCAT( Shared Secret+X-Unique-Request-ID))
I'd rather not upgrade to 1.6 development build (even though it has LUA scripting support)
Is there another avenue to go down to ensure that requests are coming from HAProxy and not a third party?