Re: Can HAProxy function as a firewall?
On Wed, May 4, 2022 at 08:51 Shawn Heisey wrote: ... > Some things that I can think of that I don't think haproxy can do that > you'd expect from a firewall: > > * Permit or deny any traffic other than TCP or UDP. > ** Examples: ICMP, IGMP, GRE, ESP. > * Examine certain application protocols to track and automatically allow > related connections. > ** FTP and RPC are the examples that come to mind. Thanks, Shawn. Then how about using pfsense software instead in the same setup? -Tom
Re: Can HAProxy function as a firewall?
On Wed, May 4, 2022 at 06:30 Tom Browder wrote: > ... > From what I've seen of HAProxy's configuration, it seems it may be able to > be used as an easy-to-configure firewall immediately downstream from my > ISP's router and inside a small Debian computer feeding another router. > If it can function as a firewall, shouldn't I be able to use two NICs in my Debian server and use it on the ISP router as the gateway to my intranet with a switch hanging on the second NIC? -Tom
Can HAProxy function as a firewall?
I am embarking on a journey to move my remote website servers into a single server inside my home and accessible via DNS to my static IPv4 address. I have been cautioned by fellow Debian users to completely block IPv6 traffic. Additionally, I see conflicting advice about what firewall software to use and how to configure it. >From what I've seen of HAProxy's configuration, it seems it may be able to be used as an easy-to-configure firewall immediately downstream from my ISP's router and inside a small Debian computer feeding another router. Does that sound feasible? Or is there a physical router available that incorporates HAProxy? Thanks. -Tom
Re: Question about http compression
On Mon, Feb 21, 2022 at 08:21 Lukas Tribus wrote: > Hello, > > > On Mon, 21 Feb 2022 at 14:25, Tom Browder wrote: > > > > I'm getting ready to try 2.5 HAProxy on my system > > and see http comression is recommended. > > I'm not sure we are actively encouraging to enable HTTP compression. > Where did you see this recommendation? I think I implied that because I saw no note or warning about the hazards of http compression. Thanks, Lukas. Cheers! -Tom
Question about http compression
I'm getting ready to try 2.5 HAProxy on my system and see http comression is recommended. I am running Apache 2.4.52 and have for years tried to keep its TLS security as good as possible according to what advice I get from the Apache docs and SSL Labs. From those sources I thought https should not use compression because of some known exploit, so I'm not currently using it. My sites get an A+ rating from SSL Labs testing. So, not being at all an expert, I plan not to use the compression (although I've always wanted to). Perhaps I'm not as up-to-date as I should be (this is a hobbly, but it's an important one, although I can't spend the time on it I would like to). Your thoughts and advice are appreciated. -Tom
Newbie question
I am running a single Apache httpd server (2.4.52) with multiple virtual sites, all under TLS with individual Let's Encrypt certs using Apache's managed domain feature. The setup has worked well for years (mostly static, but some using CGI). Now I want to be able to use a reverse proxy to enable the https data received on port 443 to be: + decrypted using the appropriate domain's certs + sent to a unique port for its domain + have a Raku (formerly Perl 6) script take care of the backend business + re-encrypt the response + send the https response back to the client Is that possible using HAProxy on a single server? Thanks, -Tom
Any cookbook recipes for: Apache+Letsencrypt+ReverseProxy
I have a working Apache httpd server (2.4.43 with OpenSSL 1.1.1g) with multiple virtual hosts using SNI on one IPv4, and I would like to have a working reverse proxy behind one or more of those hosts. I am happy to share the configuration for one of my hosts if I could get help in adding HA Proxy into the https flow I currently have. I do have the luxury of having available a separate physical server suitable for experimentation with nothing being served from it at the moment, but it has the same environment setup as the working one and any changes would not interfere with my active sites. I will post any successful configuration on my Github repository at < https://tbrowde/config-scripts>. Thanks. Best regards, -Tom
Re: HAProxy and Apache reverse proxy with TLS passthrough
On Thu, Sep 3, 2020 at 15:40 Илья Шипицин wrote: > seems, you are talking about SNI routing. i.e. L7 routing based on server > name extension sent in SSL Client Helo. > > will the following work for you ? > > https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/ > It looks like it has a good chance. Thank you very much Best regards, -Tom
HAProxy and Apache reverse proxy with TLS passthrough
I'm trying to cobble together the following https data flow: <== public internet ==> A. a single IPv4 Apache server with multiple virtual hosts identified by SNI 1. for each virtual host with its unique domain: a. use Apache's managed domain capability to get and keep current a Letsencrypt TLS cert b. have a reverse proxy to a backend TLS server (with passthrough TLS) identified by a unique port number on the local host <== reverse proxy ==> 2. for each unique backend server a. respond to public domain https requests b. serve both static and dynamic content back to the public client Notes: 1. Each virtual host is defined in a single Apache macro. 2. I have Apache running apparently successfully up to the ProxyPass and ProxyReverse point but cannot get a valid connection. 3. I can get the scenario to work in a non-TLS environment. 4. The solutions I've seen with Nginx and Caddy require wildcard certs or unique IPs, neither of which will work for me in my current understanding of Apache. Questions: 1. Is this TLS scenario theoretically possible? 2. If so, can HAProxy help make it happen? 3. What are my options for the backend server? I have seen very little discussion of that except in vague terms of a "dynamic server" (for which I plan to use a Raku language server called Cro). Thanks for any help. Best regards, -Tom
