2

I have two machines and a HAProxy machine doing SSL termination and accepting client certs successfully. How can I configure HAProxy to ensure that the messages coming into the API box are from HAProxy itself, and not from a third party?

  • These machines are in the same subnet.

  • HAProxy does not (as I can see in the stable 1.5 release) allow any way for me to perform a concatenate and hash - i.e. I can not make a header that is
    SHA1( CONCAT( Shared Secret+X-Unique-Request-ID))

  • I'd rather not upgrade to 1.6 development build (even though it has LUA scripting support)

Is there another avenue to go down to ensure that requests are coming from HAProxy and not a third party?

Xander
  • 35,525
  • 27
  • 113
  • 141
Paul42
  • 21
  • 2

2 Answers2

1

The obvious solution is to encrypt the connection between the haproxy and the webserver. Doing this using SSL means you are adding some latency to the connection and a processing -IIRC, haproxy implements a 1:1 connections between front end and backend, otoh ATS and some other proxies make more efficient use of a pool of connections to the backend. But assuming that switching to ATS is not an option...you might consider an authenticated VPN connection such as ipsec between haproxy and webserver, or simply block access to the port used by the webserver at the router (assuming that there's nothing considered hostile on the same subnet.

symcbean
  • 18,278
  • 39
  • 73
0

My suggestion would be to use reqadd and a secret header name and value. You can put any header you want in there with any value and check for it's match in on the API sever side. If that header is missing then the request won't be from HAProxy.

Nathan V
  • 331
  • 1
  • 8