Questions tagged [haproxy]
10 questions
4
votes
2 answers
Do browsers and tools send `SNI` field by default connecting to https endpoints?
I am setting up HaProxy for https in passthrough (tcp) mode without SSL/TLS termination. I want to be able to route traffic to different backends based on hostname requested by a client.
From HaProxy documentation I learned that there is unencrypted…
Kirill
- 143
- 3
3
votes
1 answer
Correctly configuring load balancing for TLS session resumption
Consider the following network topology:
There are exactly two HTTPS servers, S1 and S2.
There are exactly two HTTPS clients, C1 and C2. Notice this, as there are often many more clients for two servers. But in this case, there are only two…
M.S. Dousti
- 1,514
- 17
- 23
2
votes
2 answers
Should we enable TLS on backend connection after reverse proxy?
I have a reverse proxy (e.g. nginx, nghttpx, haproxy) that proxies connection to a service running on the same physical server. I think the most common way to configure this setup is to enable TSL only on the frontend and leave the backend…
leopoodle
- 121
- 2
2
votes
0 answers
Mitigating reverse DNS lookup danger / exploitation
I have read several posts indicating that reverse dns lookup cannot be trusted, as someone can spoof DNS -- so when a rule is made that allows traffic through dns, its possible to exploit.
However, it's not so easy to spoof an IP, correct? At least,…
Muradin007
- 31
- 2
2
votes
1 answer
Oracle (CVE-2016-2107) vulnerability on haproxy + Apache + (AWS vs private hosting)
We have a privately hosted production system and an AWS machine we use for testing. Both systems have the same structure:
SSL termination with haproxy,
passing to an Apache server hosting a rails website,
plus a load of auxiliary services…
rwold
- 131
- 4
1
vote
0 answers
health check to test haproxy -- request deny with 200. good idea?
I have been working on a multi-provider redundant load balancing solution using HAProxy, AWS, and Cloudflare. I have a solution, and I believe it will be secure, but I am looking for further validation on why it would be a terrible idea.
I have a…
Muradin007
- 31
- 2
0
votes
1 answer
HAProxy Trust only specific client certs for mutual
I am using HAProxy to perform Mutual TLS termination for my API.
HAProxy has Mutual TLS enabled with "verify required" and a cert-auth file to restrict access to the Apache service that proxies to my API.
I only want to allow two specific clients…
0
votes
2 answers
How does my HTTPS POST get blocked based on XML content?
There's a web application on a server which I have full access to which accepts POST requests on a REST endpoint. The request payload is expected to be an XML document. For request routing and load balancing the server makes use of HAProxy, which…
G_H
- 121
- 4
0
votes
1 answer
Adding a self-signed client certificate to HAProxy for mutual-tls?
I added the client cert into ca.pem as in
bind 0.0.0.0:443 ssl crt /etc/ssl/private/asdf.hdavid.io.pem verify optional ca-file /etc/ssl/certs/ca.pem
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
And then calling with curl -v…
David Hofmann
- 135
- 5
0
votes
0 answers
rkhunter reports numerous warnings on haproxy open ports
Recently I have installed RKhunter (v1.4.2) on a couple of loadbalancers ( Haproxy 2.0.14 ) running on Debian 9. Stretch. While performing a full system check I'm getting a lot or warnings about tcp ports being used by Haproxy. They look like this:
…
cparfon
- 1