Using haproxy to armour a web server

[Sean Rodden]

Hi folks,

I have a web app (served by Tomcat) that was intended for intranet use. As
such I assume that the security is only basic and it is not suitable for
facing the public internet. When seeking a product to stand between my app
and the world, haproxy was recommended to me. I understand that this is not
the primary function of haproxy so if anyone can suggest a product more
suitable (open or commercial), then I'm all ears.

I have spoken briefly with Willy who has very kindly set me on the right
track for a couple of issues but I'm still not grokking haproxy yet. I have
the following set in my haproxy.cfg. haproxy is correctly proxying my
application but I am not challenged for a password at any point. Would
someone kindly point out where I have made errors?

Also, Willy suggested that I could use haproxy 1.5(dev) to harden the
connection, preventing brute force attacks and the like. I have reviewed the
configuration.txt file and most of the concepts are foreign to me. Has
anyone a sample config file for this purpose they would share?

Thanks,
Sean

userlist L1
group G1 users sean
user sean insecure-password abc123

backend sleds
mode http
acl auth_ok http_auth(L1) G1
http-request auth unless auth_ok
timeout connect 10s
timeout server 30s
balance roundrobin
server sled1 127.0.0.1:10001 weight 1 maxconn 512

frontend http_proxy #arbitrary name for the frontend
bind :80 #all interfaces at port 80
mode http
option forwardfor
option http-server-close
option http-pretend-keepalive
default_backend sleds #by default forward the requests to sled

Using haproxy to armour a web server - update 1

[Sean Rodden]

OK, I found that I needed to uncomment the chroot statement before it would
prompt for a password. That makes sense. That part is working now :-)

Still could use some advice on the attack prevention though!

Thanks,
Sean

Re: Using haproxy to armour a web server

[Brett Delle Grazie]

Hi,

On 25 January 2011 09:29, Sean Rodden s...@rodden.net wrote:
 Hi folks,

 I have a web app (served by Tomcat) that was intended for intranet use. As
 such I assume that the security is only basic and it is not suitable for
 facing the public internet. When seeking a product to stand between my app
 and the world, haproxy was recommended to me. I understand that this is not
 the primary function of haproxy so if anyone can suggest a product more
 suitable (open or commercial), then I'm all ears.

Personally if the application isn't designed with security in mind I
wouldn't put it on the Internet or
consider paying a developer to review the application for just this
purpose.  Depending upon
how the application was developed, reviewing it and updating its
security can sometimes be
extremely quick and far less costly than expected.

Having said that:

Other options:
(a) Apache HTTPD preferably with mod_security
(b) NGINX (haven't used it but it has a reverse proxy mode)
(c) HAproxy
(d) Let Tomcat serve data directly.

Caveat 1:
If you're running an old version of Tomcat and/or Java you should
_definitely_ upgrade -
newer versions of Tomcat and the Java JVM can all run older
applications with little / no
change in configuration.  Major version leaps (e.g. Tomcat 5.x to 6.x)
will require changes to
Tomcat configuration but not necessarily to the application's configuration.

Tomcat itself has several security options in the more recent versions
(e.g. 6.0.3x) which
you should consider enabling (cross site scripting protection). The
tomcat documentation
and users mailing list will help here.

Caveat 2:
Ensure the application is configured to login using HTTPS only and
_stay_ on HTTPS once
logged in. Its far too easy to 'hijack' sessions when applications
login using HTTPS but then keep
the session in HTTP.  If you can't do this, run the entire application
from HTTPS only.

Recommendation:
My recommendation would be Apache HTTPD in reverse proxy mode with mod_security
installed and configured correctly. A properly hardened Apache HTTPD
server is very
difficult to hack and when placed in a DMZ gets the hacker hardly
anywhere.  mod_security
compares requests against a series of rules. There are a general set
of rules provided
with mod_security (and kept up-to-date with known hacks, including
DoS, script-kiddies etc) but
you can add your own local rules as well.

It all depends upon how 'valuable' the data the application has access to is.

Note:
This is not to say that HAproxy isn't capable of performing the task,
merely to say that
in this instance I believe, mod_security with Apache HTTPD might be a
better fit,
as long as you have the technical knowledge to configure mod_security properly.
HAproxy is a _fantastic_ product and I use it to cluster Tomcat for my clients.



 I have spoken briefly with Willy who has very kindly set me on the right
 track for a couple of issues but I'm still not grokking haproxy yet. I have
 the following set in my haproxy.cfg. haproxy is correctly proxying my
 application but I am not challenged for a password at any point. Would
 someone kindly point out where I have made errors?

 Also, Willy suggested that I could use haproxy 1.5(dev) to harden the
 connection, preventing brute force attacks and the like. I have reviewed the
 configuration.txt file and most of the concepts are foreign to me. Has
 anyone a sample config file for this purpose they would share?

 Thanks,
 Sean

 userlist L1
     group G1 users sean
     user sean insecure-password abc123

 backend sleds
     mode http
     acl auth_ok http_auth(L1) G1
     http-request auth unless auth_ok
     timeout connect 10s
     timeout server 30s
     balance roundrobin
     server sled1 127.0.0.1:10001 weight 1 maxconn 512

 frontend http_proxy #arbitrary name for the frontend
     bind :80 #all interfaces at port 80
     mode http
     option forwardfor
     option http-server-close
     option http-pretend-keepalive
     default_backend sleds #by default forward the requests to sled



Note that with the option forwardfor above you will probably need to
configure Tomcat's Remote IP valve
otherwise your application will think that all requests are coming
from the proxy server.

Hope this helps
-- 
Best Regards,

Brett Delle Grazie

RE: Using haproxy to armour a web server

[Mike Hoffs]

What is the reason that this internal application has to be moved to external ? 
Outside workers that have to reach the application ?
 
 
Met een vriendelijke groet,   
 

Mike Hoffs
 
 

Re: Using haproxy to armour a web server

[Sean Rodden]

The app is educational software that was designed for a classroom
environment where one Tomcat server provides content to anyone on the campus
intranet. We want to set up a virtual classroom because we have many
customers that have trouble installing the old stand-alone version that
comes on CD. A fully web-delivered product will/would be a wonderful thing
for us.

I have looked briefly at OpenVPN but that still requires a small app to be
installed on the user's PC. SSL plus a portal-like password auth front end
would be ideal. In fact a proxy module for drupal would be even better since
I can use drupal to deliver over things to my clients but I don't think
there's a reliable proxy module for drupal.

On Tue, Jan 25, 2011 at 11:12 PM, Mike Hoffs m.ho...@mijn-sleutel.comwrote:

 What is the reason that this internal application has to be moved to
 external ? Outside workers that have to reach the application ?





 Met een vriendelijke groet,



 

 Mike Hoffs

Re: Using haproxy to armour a web server

[Sean Rodden]

On Tue, Jan 25, 2011 at 10:55 PM, Brett Delle Grazie 
brett.dellegra...@gmail.com wrote:


 Personally if the application isn't designed with security in mind I
 wouldn't put it on the Internet or consider paying a developer to review the
 application for just this purpose.  Depending upon how the application was
 developed, reviewing it and updating its security can sometimes be extremely
 quick and far less costly than expected.


Agreed but this isn't my app so rewriting isn't an option. I don't have the
source code :-) The supplier is doing their own hardening but that update is
not due until the end of the year. In the mean time, I can make a lot of
money if I can get this working securely and stabley enough to tie me over
until the official product is released.

I'm actually planning on using something like stunnel to funnel the whole
thing through SSL without the app needing to know about it (I don't think
it's SSL aware). From what I've read so far, the SSL part is actually a
minor part of the project. Though I admit I may turn out to be mistaken :-)

Thankyou for the recommendation to Apache. I like and trust apache so I'll
definitely be giving that one a go. haproxy can then be left to handle the
load sharing (since I'll be needing a failover machine).

Thanks!
Sean

RE: Using haproxy to armour a web server

[Mike Hoffs]

I was also thinking about openVPN, we use is for some customers, it is awesome. 
U can put all the students in one group with only access to that tomcat server. 
And also it is not that expensive, don’t buy a license for the number of 
students, but the number that u think how many will use It concurrent at a 
given time.
 
Keep it in mind if u don’t find a good solution.
 
Met een vriendelijke groet,   
 

Mike Hoffs
 

Re: Using haproxy to armour a web server

[Sean Rodden]

Is the only way to run openVPN with the VPN client installed as a browser
plugin?

On Tue, Jan 25, 2011 at 11:34 PM, Mike Hoffs m.ho...@mijn-sleutel.comwrote:

 I was also thinking about openVPN, we use is for some customers, it is
 awesome. U can put all the students in one group with only access to that
 tomcat server. And also it is not that expensive, don’t buy a license for
 the number of students, but the number that u think how many will use It
 concurrent at a given time.



 Keep it in mind if u don’t find a good solution.



 Met een vriendelijke groet,



 

 Mike Hoffs

RE: Using haproxy to armour a web server

[Mike Hoffs]

I dont know how the community edition Works, but the licensed one is shipped 
with a nice installer for microsoft and Linux products. It is not browser 
plugin, but a little program u can start when u need it, it will connect to 
your vpn server. And setup the routing as you set it up.
 
 
Met een vriendelijke groet,   
 

Mike Hoffs
 
 

RE: Using haproxy to armour a web server

[Mike Hoffs]

Haha, i think for the most idiots is next, next, next understandable ;-)
 
What I mean with vmware, is that u can make a vmware image, burn in on dvd with 
vmware player. I think with some scripting u can also make a nice installer for 
it to.
 
Long time ago I did some senior admin work at a college, don’t trust those 
*(*$#% ever J
 
 
Met een vriendelijke groet,   
 

Mike Hoffs
 

Re: Using haproxy to armour a web server

[Sean Rodden]

Oh I have trouble with that too! When I started in this job, my boss said
Be aware that some of the learning difficulties the kids use this software
for, is congenital. which was a very polite way of saying that some of the
parents have the same problems!

I see what you mean with the VMWare idea now. Not really applicable. For
many of these people, they're running Macs not Windows and it still means I
need to post a CD out. A fully web delivered product is the holy grail. If I
can make Brett's suggestion of Apache work then I'm home and hosed. Once the
supplier gets their hardened solution working, I can just migrate the
students agress. At least that part of the software works :-)

Sean

On Tue, Jan 25, 2011 at 11:42 PM, Mike Hoffs m.ho...@mijn-sleutel.comwrote:

 Haha, i think for the most idiots is next, next, next understandable ;-)



 What I mean with vmware, is that u can make a vmware image, burn in on dvd
 with vmware player. I think with some scripting u can also make a nice
 installer for it to.



 Long time ago I did some senior admin work at a college, don’t trust those
 *(*$#% ever J





 Met een vriendelijke groet,



 

 Mike Hoffs

Clear Sticky Session/Cookie

[Anthony Saenz]

I read the documentation and couldn't see anything on it but is there a 
way to dynamically (on-the-fly) clear a sticky session cookie? It's kind 
of for development environment switching and a sticky session set by 
time isn't exactly what we're looking for.


Thanks!

Custom field addition to Statistics Report webpage?

[Joel Krauska]

I'm not sure if people have asked for this, but I would love a custom
field/column in the Stats Report web page.

Specifically, I would like to be able to see my backend server
version. This is a custom text string which I could provide a
health-check-like URL to populate.

Then the HAProxy stats page could be a one-stop page to watch during
rolling upgrades of backends.

Probably for easy customization, an external call to third party
script would be ideal.

Has anyone considered this before?  Is there any way to hack existing
features to do this?

Cheers,

--Joel

blocking referers via list in external file

[Robert Joseph]

hello,

i run two sets of servers, each with an haproxy layer.  one set is:
HA-Proxy version 1.4.8 2010/06/16

the other is:
HA-Proxy version 1.4-dev3 2009/09/23

i am using an external file with a long list of referers that i want
to block.  in both server sets, it is invoked like so:
  acl invalid_referer hdr_sub(referer) -i -f /etc/haproxy/banned.haproxy.conf
  block if invalid_referer

on set 1 (1.4.8), this works fine, those referers get 403's, and i get
log lines like:
Jan 25 15:28:56 127.0.0.1 haproxy[30545]: 127.0.0.1:9921
[25/Jan/2011:15:28:56.240] yfrog_web yfrog_web/NOSRV 0/-1/-1/-1/0
403 188 - - PR-- 82/6/0/0/0 0/0 {yfrog.com|linkbucks.com|172.31.0.86}
HEAD / HTTP/1.0

it's blocked, i see the nice NOSRV and PR--

on the other server set (1.4-dev3), the config passes the syntax
check, but matching referers are not blocked:
Jan 25 15:31:00 127.0.0.1 haproxy[27166]: 172.31.0.86:52592
[25/Jan/2011:15:31:00.545] main local_nginx/127.0.0.1:14000
0/0/0/70/92 200 1251 - -  772/772/488/487/0 0/0 {linkbucks.com}
HEAD / HTTP/1.1

the configurations are very nearly identical, except that in set 1 i
invoke the ACL in a frontend section, and in set 2 i invoke it in a
listen section.  per
http://haproxy.1wt.eu/download/1.5/src/CHANGELOG, support for -f was
added in 1.4-dev1:
- [MEDIUM] config: support loading multiple configuration files


am i missing something?

thanks much,
-r


-- 


Robert Joseph
ImageShack Corp
Free Image Hosting
www.imageshack.us

Re: blocking referers via list in external file

[Cyril Bonté]

Hi Robert,

Le mercredi 26 janvier 2011 00:39:53, Robert Joseph a écrit :
 hello,
 
 i run two sets of servers, each with an haproxy layer.  one set is:
 HA-Proxy version 1.4.8 2010/06/16
 
 the other is:
 HA-Proxy version 1.4-dev3 2009/09/23

It looks funny to see such a version in use, but it can be dangerous as it was 
an early version of the 1.4 branch.

 i am using an external file with a long list of referers that i want
 to block.  in both server sets, it is invoked like so:
   acl invalid_referer hdr_sub(referer) -i -f
 /etc/haproxy/banned.haproxy.conf block if invalid_referer
 
 on set 1 (1.4.8), this works fine, those referers get 403's, and i get
 log lines like:
 Jan 25 15:28:56 127.0.0.1 haproxy[30545]: 127.0.0.1:9921
 [25/Jan/2011:15:28:56.240] yfrog_web yfrog_web/NOSRV 0/-1/-1/-1/0
 403 188 - - PR-- 82/6/0/0/0 0/0 {yfrog.com|linkbucks.com|172.31.0.86}
 HEAD / HTTP/1.0
 
 it's blocked, i see the nice NOSRV and PR--
 
 on the other server set (1.4-dev3), the config passes the syntax
 check, but matching referers are not blocked:

This feature only appeared in haproxy 1.4.5 (I guess that previous versions 
will try to find a -f referer, not sure about that).

From the changelog :
2010/05/13 : 1.4.5
- [MINOR] acl: support loading values from files

 the configurations are very nearly identical, except that in set 1 i
 invoke the ACL in a frontend section, and in set 2 i invoke it in a
 listen section.  per
 http://haproxy.1wt.eu/download/1.5/src/CHANGELOG, support for -f was
 added in 1.4-dev1:
 - [MEDIUM] config: support loading multiple configuration files

 am i missing something?

Oh ok, this is not the same -f at all. The one you quote is for the command 
line options, to explode the haproxy configuration file in several ones.

-- 
Cyril Bonté

Re: Clear Sticky Session/Cookie

[Willy Tarreau]

On Tue, Jan 25, 2011 at 07:20:20PM -0800, Anthony Saenz wrote:
  I read the documentation and couldn't see anything on it but is there a way
 to dynamically (on-the-fly) clear a sticky session cookie? It's kind of for
 development environment switching and a sticky session set by time isn't
 exactly what we're looking for.

Could you describe in more details how you'd like that to work for your
case instead ?

Regards,
Willy

Re: Custom field addition to Statistics Report webpage?

[Willy Tarreau]

Hi Joel,

On Tue, Jan 25, 2011 at 01:29:11PM -0800, Joel Krauska wrote:
 I'm not sure if people have asked for this, but I would love a custom
 field/column in the Stats Report web page.
 
 Specifically, I would like to be able to see my backend server
 version. This is a custom text string which I could provide a
 health-check-like URL to populate.
 
 Then the HAProxy stats page could be a one-stop page to watch during
 rolling upgrades of backends.
 
 Probably for easy customization, an external call to third party
 script would be ideal.
 
 Has anyone considered this before?  Is there any way to hack existing
 features to do this?

You should take a look at stats show-desc. You can already use it to
report a section-specific string. You can then have your upgrade script
fill it from a config template. For instance :

backend foo
stats show-desc @@foo.version@@

Then replace @@foo.version@@ with whatever you like.

Assuming you're in a secure enough environment to consider such things,
you should also take a look at stats show-legends which reports much
more information (eg: mode, IPs, cookie names, etc...). This is different
from what you asked for but will surely help troubleshoot issues if you
already feel concerned with the config version.

Cheers,
Willy

Re: Using haproxy to armour a web server

[Willy Tarreau]

On Tue, Jan 25, 2011 at 11:55:57AM +, Brett Delle Grazie wrote:
 Recommendation:
 My recommendation would be Apache HTTPD in reverse proxy mode with 
 mod_security
 installed and configured correctly. A properly hardened Apache HTTPD
 server is very
 difficult to hack and when placed in a DMZ gets the hacker hardly
 anywhere.  mod_security
 compares requests against a series of rules. There are a general set
 of rules provided
 with mod_security (and kept up-to-date with known hacks, including
 DoS, script-kiddies etc) but
 you can add your own local rules as well.

100% agree with you Brett. When I suggested Sean to look at 1.5, it was
because he was asking how that could be used to protect against brute
force connection attempts. With the full description it appears clearly
that mod_security is required to keep the site safe enough, especially
if the code has never been updated nor audited ! The servers should be
jailed as much as possible because I suspect Sean will regularly find
gremlins on them...

Regards,
Willy