Using haproxy to armour a web server
Hi folks, I have a web app (served by Tomcat) that was intended for intranet use. As such I assume that the security is only basic and it is not suitable for facing the public internet. When seeking a product to stand between my app and the world, haproxy was recommended to me. I understand that this is not the primary function of haproxy so if anyone can suggest a product more suitable (open or commercial), then I'm all ears. I have spoken briefly with Willy who has very kindly set me on the right track for a couple of issues but I'm still not grokking haproxy yet. I have the following set in my haproxy.cfg. haproxy is correctly proxying my application but I am not challenged for a password at any point. Would someone kindly point out where I have made errors? Also, Willy suggested that I could use haproxy 1.5(dev) to harden the connection, preventing brute force attacks and the like. I have reviewed the configuration.txt file and most of the concepts are foreign to me. Has anyone a sample config file for this purpose they would share? Thanks, Sean userlist L1 group G1 users sean user sean insecure-password abc123 backend sleds mode http acl auth_ok http_auth(L1) G1 http-request auth unless auth_ok timeout connect 10s timeout server 30s balance roundrobin server sled1 127.0.0.1:10001 weight 1 maxconn 512 frontend http_proxy #arbitrary name for the frontend bind :80 #all interfaces at port 80 mode http option forwardfor option http-server-close option http-pretend-keepalive default_backend sleds #by default forward the requests to sled
Using haproxy to armour a web server - update 1
OK, I found that I needed to uncomment the chroot statement before it would prompt for a password. That makes sense. That part is working now :-) Still could use some advice on the attack prevention though! Thanks, Sean
Re: Using haproxy to armour a web server
Hi, On 25 January 2011 09:29, Sean Rodden s...@rodden.net wrote: Hi folks, I have a web app (served by Tomcat) that was intended for intranet use. As such I assume that the security is only basic and it is not suitable for facing the public internet. When seeking a product to stand between my app and the world, haproxy was recommended to me. I understand that this is not the primary function of haproxy so if anyone can suggest a product more suitable (open or commercial), then I'm all ears. Personally if the application isn't designed with security in mind I wouldn't put it on the Internet or consider paying a developer to review the application for just this purpose. Depending upon how the application was developed, reviewing it and updating its security can sometimes be extremely quick and far less costly than expected. Having said that: Other options: (a) Apache HTTPD preferably with mod_security (b) NGINX (haven't used it but it has a reverse proxy mode) (c) HAproxy (d) Let Tomcat serve data directly. Caveat 1: If you're running an old version of Tomcat and/or Java you should _definitely_ upgrade - newer versions of Tomcat and the Java JVM can all run older applications with little / no change in configuration. Major version leaps (e.g. Tomcat 5.x to 6.x) will require changes to Tomcat configuration but not necessarily to the application's configuration. Tomcat itself has several security options in the more recent versions (e.g. 6.0.3x) which you should consider enabling (cross site scripting protection). The tomcat documentation and users mailing list will help here. Caveat 2: Ensure the application is configured to login using HTTPS only and _stay_ on HTTPS once logged in. Its far too easy to 'hijack' sessions when applications login using HTTPS but then keep the session in HTTP. If you can't do this, run the entire application from HTTPS only. Recommendation: My recommendation would be Apache HTTPD in reverse proxy mode with mod_security installed and configured correctly. A properly hardened Apache HTTPD server is very difficult to hack and when placed in a DMZ gets the hacker hardly anywhere. mod_security compares requests against a series of rules. There are a general set of rules provided with mod_security (and kept up-to-date with known hacks, including DoS, script-kiddies etc) but you can add your own local rules as well. It all depends upon how 'valuable' the data the application has access to is. Note: This is not to say that HAproxy isn't capable of performing the task, merely to say that in this instance I believe, mod_security with Apache HTTPD might be a better fit, as long as you have the technical knowledge to configure mod_security properly. HAproxy is a _fantastic_ product and I use it to cluster Tomcat for my clients. I have spoken briefly with Willy who has very kindly set me on the right track for a couple of issues but I'm still not grokking haproxy yet. I have the following set in my haproxy.cfg. haproxy is correctly proxying my application but I am not challenged for a password at any point. Would someone kindly point out where I have made errors? Also, Willy suggested that I could use haproxy 1.5(dev) to harden the connection, preventing brute force attacks and the like. I have reviewed the configuration.txt file and most of the concepts are foreign to me. Has anyone a sample config file for this purpose they would share? Thanks, Sean userlist L1 group G1 users sean user sean insecure-password abc123 backend sleds mode http acl auth_ok http_auth(L1) G1 http-request auth unless auth_ok timeout connect 10s timeout server 30s balance roundrobin server sled1 127.0.0.1:10001 weight 1 maxconn 512 frontend http_proxy #arbitrary name for the frontend bind :80 #all interfaces at port 80 mode http option forwardfor option http-server-close option http-pretend-keepalive default_backend sleds #by default forward the requests to sled Note that with the option forwardfor above you will probably need to configure Tomcat's Remote IP valve otherwise your application will think that all requests are coming from the proxy server. Hope this helps -- Best Regards, Brett Delle Grazie
RE: Using haproxy to armour a web server
What is the reason that this internal application has to be moved to external ? Outside workers that have to reach the application ? Met een vriendelijke groet, Mike Hoffs
Re: Using haproxy to armour a web server
The app is educational software that was designed for a classroom environment where one Tomcat server provides content to anyone on the campus intranet. We want to set up a virtual classroom because we have many customers that have trouble installing the old stand-alone version that comes on CD. A fully web-delivered product will/would be a wonderful thing for us. I have looked briefly at OpenVPN but that still requires a small app to be installed on the user's PC. SSL plus a portal-like password auth front end would be ideal. In fact a proxy module for drupal would be even better since I can use drupal to deliver over things to my clients but I don't think there's a reliable proxy module for drupal. On Tue, Jan 25, 2011 at 11:12 PM, Mike Hoffs m.ho...@mijn-sleutel.comwrote: What is the reason that this internal application has to be moved to external ? Outside workers that have to reach the application ? Met een vriendelijke groet, Mike Hoffs
Re: Using haproxy to armour a web server
On Tue, Jan 25, 2011 at 10:55 PM, Brett Delle Grazie brett.dellegra...@gmail.com wrote: Personally if the application isn't designed with security in mind I wouldn't put it on the Internet or consider paying a developer to review the application for just this purpose. Depending upon how the application was developed, reviewing it and updating its security can sometimes be extremely quick and far less costly than expected. Agreed but this isn't my app so rewriting isn't an option. I don't have the source code :-) The supplier is doing their own hardening but that update is not due until the end of the year. In the mean time, I can make a lot of money if I can get this working securely and stabley enough to tie me over until the official product is released. I'm actually planning on using something like stunnel to funnel the whole thing through SSL without the app needing to know about it (I don't think it's SSL aware). From what I've read so far, the SSL part is actually a minor part of the project. Though I admit I may turn out to be mistaken :-) Thankyou for the recommendation to Apache. I like and trust apache so I'll definitely be giving that one a go. haproxy can then be left to handle the load sharing (since I'll be needing a failover machine). Thanks! Sean
RE: Using haproxy to armour a web server
I was also thinking about openVPN, we use is for some customers, it is awesome. U can put all the students in one group with only access to that tomcat server. And also it is not that expensive, dont buy a license for the number of students, but the number that u think how many will use It concurrent at a given time. Keep it in mind if u dont find a good solution. Met een vriendelijke groet, Mike Hoffs
Re: Using haproxy to armour a web server
Is the only way to run openVPN with the VPN client installed as a browser plugin? On Tue, Jan 25, 2011 at 11:34 PM, Mike Hoffs m.ho...@mijn-sleutel.comwrote: I was also thinking about openVPN, we use is for some customers, it is awesome. U can put all the students in one group with only access to that tomcat server. And also it is not that expensive, don’t buy a license for the number of students, but the number that u think how many will use It concurrent at a given time. Keep it in mind if u don’t find a good solution. Met een vriendelijke groet, Mike Hoffs
RE: Using haproxy to armour a web server
I dont know how the community edition Works, but the licensed one is shipped with a nice installer for microsoft and Linux products. It is not browser plugin, but a little program u can start when u need it, it will connect to your vpn server. And setup the routing as you set it up. Met een vriendelijke groet, Mike Hoffs
RE: Using haproxy to armour a web server
Haha, i think for the most idiots is next, next, next understandable ;-) What I mean with vmware, is that u can make a vmware image, burn in on dvd with vmware player. I think with some scripting u can also make a nice installer for it to. Long time ago I did some senior admin work at a college, dont trust those *(*$#% ever J Met een vriendelijke groet, Mike Hoffs
Re: Using haproxy to armour a web server
Oh I have trouble with that too! When I started in this job, my boss said Be aware that some of the learning difficulties the kids use this software for, is congenital. which was a very polite way of saying that some of the parents have the same problems! I see what you mean with the VMWare idea now. Not really applicable. For many of these people, they're running Macs not Windows and it still means I need to post a CD out. A fully web delivered product is the holy grail. If I can make Brett's suggestion of Apache work then I'm home and hosed. Once the supplier gets their hardened solution working, I can just migrate the students agress. At least that part of the software works :-) Sean On Tue, Jan 25, 2011 at 11:42 PM, Mike Hoffs m.ho...@mijn-sleutel.comwrote: Haha, i think for the most idiots is next, next, next understandable ;-) What I mean with vmware, is that u can make a vmware image, burn in on dvd with vmware player. I think with some scripting u can also make a nice installer for it to. Long time ago I did some senior admin work at a college, don’t trust those *(*$#% ever J Met een vriendelijke groet, Mike Hoffs
Clear Sticky Session/Cookie
I read the documentation and couldn't see anything on it but is there a way to dynamically (on-the-fly) clear a sticky session cookie? It's kind of for development environment switching and a sticky session set by time isn't exactly what we're looking for. Thanks!
Custom field addition to Statistics Report webpage?
I'm not sure if people have asked for this, but I would love a custom field/column in the Stats Report web page. Specifically, I would like to be able to see my backend server version. This is a custom text string which I could provide a health-check-like URL to populate. Then the HAProxy stats page could be a one-stop page to watch during rolling upgrades of backends. Probably for easy customization, an external call to third party script would be ideal. Has anyone considered this before? Is there any way to hack existing features to do this? Cheers, --Joel
blocking referers via list in external file
hello, i run two sets of servers, each with an haproxy layer. one set is: HA-Proxy version 1.4.8 2010/06/16 the other is: HA-Proxy version 1.4-dev3 2009/09/23 i am using an external file with a long list of referers that i want to block. in both server sets, it is invoked like so: acl invalid_referer hdr_sub(referer) -i -f /etc/haproxy/banned.haproxy.conf block if invalid_referer on set 1 (1.4.8), this works fine, those referers get 403's, and i get log lines like: Jan 25 15:28:56 127.0.0.1 haproxy[30545]: 127.0.0.1:9921 [25/Jan/2011:15:28:56.240] yfrog_web yfrog_web/NOSRV 0/-1/-1/-1/0 403 188 - - PR-- 82/6/0/0/0 0/0 {yfrog.com|linkbucks.com|172.31.0.86} HEAD / HTTP/1.0 it's blocked, i see the nice NOSRV and PR-- on the other server set (1.4-dev3), the config passes the syntax check, but matching referers are not blocked: Jan 25 15:31:00 127.0.0.1 haproxy[27166]: 172.31.0.86:52592 [25/Jan/2011:15:31:00.545] main local_nginx/127.0.0.1:14000 0/0/0/70/92 200 1251 - - 772/772/488/487/0 0/0 {linkbucks.com} HEAD / HTTP/1.1 the configurations are very nearly identical, except that in set 1 i invoke the ACL in a frontend section, and in set 2 i invoke it in a listen section. per http://haproxy.1wt.eu/download/1.5/src/CHANGELOG, support for -f was added in 1.4-dev1: - [MEDIUM] config: support loading multiple configuration files am i missing something? thanks much, -r -- Robert Joseph ImageShack Corp Free Image Hosting www.imageshack.us
Re: blocking referers via list in external file
Hi Robert, Le mercredi 26 janvier 2011 00:39:53, Robert Joseph a écrit : hello, i run two sets of servers, each with an haproxy layer. one set is: HA-Proxy version 1.4.8 2010/06/16 the other is: HA-Proxy version 1.4-dev3 2009/09/23 It looks funny to see such a version in use, but it can be dangerous as it was an early version of the 1.4 branch. i am using an external file with a long list of referers that i want to block. in both server sets, it is invoked like so: acl invalid_referer hdr_sub(referer) -i -f /etc/haproxy/banned.haproxy.conf block if invalid_referer on set 1 (1.4.8), this works fine, those referers get 403's, and i get log lines like: Jan 25 15:28:56 127.0.0.1 haproxy[30545]: 127.0.0.1:9921 [25/Jan/2011:15:28:56.240] yfrog_web yfrog_web/NOSRV 0/-1/-1/-1/0 403 188 - - PR-- 82/6/0/0/0 0/0 {yfrog.com|linkbucks.com|172.31.0.86} HEAD / HTTP/1.0 it's blocked, i see the nice NOSRV and PR-- on the other server set (1.4-dev3), the config passes the syntax check, but matching referers are not blocked: This feature only appeared in haproxy 1.4.5 (I guess that previous versions will try to find a -f referer, not sure about that). From the changelog : 2010/05/13 : 1.4.5 - [MINOR] acl: support loading values from files the configurations are very nearly identical, except that in set 1 i invoke the ACL in a frontend section, and in set 2 i invoke it in a listen section. per http://haproxy.1wt.eu/download/1.5/src/CHANGELOG, support for -f was added in 1.4-dev1: - [MEDIUM] config: support loading multiple configuration files am i missing something? Oh ok, this is not the same -f at all. The one you quote is for the command line options, to explode the haproxy configuration file in several ones. -- Cyril Bonté
Re: Clear Sticky Session/Cookie
On Tue, Jan 25, 2011 at 07:20:20PM -0800, Anthony Saenz wrote: I read the documentation and couldn't see anything on it but is there a way to dynamically (on-the-fly) clear a sticky session cookie? It's kind of for development environment switching and a sticky session set by time isn't exactly what we're looking for. Could you describe in more details how you'd like that to work for your case instead ? Regards, Willy
Re: Custom field addition to Statistics Report webpage?
Hi Joel, On Tue, Jan 25, 2011 at 01:29:11PM -0800, Joel Krauska wrote: I'm not sure if people have asked for this, but I would love a custom field/column in the Stats Report web page. Specifically, I would like to be able to see my backend server version. This is a custom text string which I could provide a health-check-like URL to populate. Then the HAProxy stats page could be a one-stop page to watch during rolling upgrades of backends. Probably for easy customization, an external call to third party script would be ideal. Has anyone considered this before? Is there any way to hack existing features to do this? You should take a look at stats show-desc. You can already use it to report a section-specific string. You can then have your upgrade script fill it from a config template. For instance : backend foo stats show-desc @@foo.version@@ Then replace @@foo.version@@ with whatever you like. Assuming you're in a secure enough environment to consider such things, you should also take a look at stats show-legends which reports much more information (eg: mode, IPs, cookie names, etc...). This is different from what you asked for but will surely help troubleshoot issues if you already feel concerned with the config version. Cheers, Willy
Re: Using haproxy to armour a web server
On Tue, Jan 25, 2011 at 11:55:57AM +, Brett Delle Grazie wrote: Recommendation: My recommendation would be Apache HTTPD in reverse proxy mode with mod_security installed and configured correctly. A properly hardened Apache HTTPD server is very difficult to hack and when placed in a DMZ gets the hacker hardly anywhere. mod_security compares requests against a series of rules. There are a general set of rules provided with mod_security (and kept up-to-date with known hacks, including DoS, script-kiddies etc) but you can add your own local rules as well. 100% agree with you Brett. When I suggested Sean to look at 1.5, it was because he was asking how that could be used to protect against brute force connection attempts. With the full description it appears clearly that mod_security is required to keep the site safe enough, especially if the code has never been updated nor audited ! The servers should be jailed as much as possible because I suspect Sean will regularly find gremlins on them... Regards, Willy