HAproxy
HAproxy is fantastic reverse proxy with a massive amount of features. Knocknoc has supported HAproxy for years, and integrates with it natively. The vast amount of options for HAproxy can make it confusing at first, however we can walk through the bare essentials to be able to use Knocknoc, and you can extend it from there.
If you wanted to protect an arbitrary web application, for example a legacy PHP app, or Atlassian Confluence, we would recommend deploying HAproxy to sit in front of the application, and use Knocknoc to control access. This will often be an easier deployment path, and is a cost effective security measure for many reasons.
HAproxy Admin socket
Knocknoc supports HAproxy's admin socket directly, so you can just configure the socket path, adjust the permissions and away you go.
You can see from this screenshot, when you create a new backend, you can select HAproxy as the socket type, and then add the path. This implies your knocknoc-agent 'test' can read and write directly to the socket. One way to allow this is to add the knocknoc-agent user to the haproxy group:
adduser knocknoc-agent haproxy
Works on debian, or equivalent.
Haproxy TCP Socket
The HAproxy backend also supports a TCP socket, in which case it still expects to talk to the unix socket, but it can do so via a TCP redirect. This is most easily accomplished with the spiped utility.
knocknoc-agent ships with a script make-spiped-tunnel.sh which can walk you through making an spiped encrypted tunnel between your knocknoc-agent machine and a remote haproxy. It is often easier to deploy knocknoc-agent directly to a machine, but in case this isn't possible, you can use an spiped tunnel for this purpose.
Haproxy Configuration
Haproxy configuration is vast topic, however here is a minimal config for the seasoned admin to get started quickly:
frontend https_frontend
mode http
bind *:443 ssl crt /etc/ssl/private/ alpn h2,http/1.1
acl is_confluence hdr(host) confluence.mycompany.com
acl is_http hdr(X-Forwarded-Proto) http
acl knoc_confluence src -u 500
redirect scheme https if is_http
use_backend confluence_backend if is_confluence knoc_confluence
backend confluence_backend
mode http
server confluence_server internal_confluence_ip:443 check ssl verify none
This config snippet sets up an HAproxy fronted on port 443, with certs served from the directory /etc/ssl/private and enabled HTTP2.
Then it sets up some ACLs for the hostname and Knocknoc to update (ACL ID 500).
Then the use_backend directive only allows connections to the backends if the hostname matches confluence.mycompany.com AND the list of source IPs in ACL 500.
Knocknoc will then be configured using the ACL setting pane to have ACL 500 map to this backend on this agent:
Then this ACL needs to be added to a Group, and any user in that group will have their Source IP added to ACL 500 when they authenticate OK to Knocknoc!