HAproxy

HAproxy is fantastic reverse proxy with a massive amount of features. Knocknoc has supported HAproxy for years, and integrates with it natively. HAproxy can be a little confusing at first due to its wide array of options and implementations, for now we'll walk through some basic configuration for use in front of Confluence.

Note: If you are reading this page, you should already have your ~~Knocknoc~~ Knocknoc Server and Agent setup as this guide will assume you are at least aware of the features being addressed.

HAproxy Configuration via the Admin Socket

Knocknoc supports HAproxy's admin socket, this interaction is how the access control list (ACL) within HAproxy is updated to allow your users to access the protected application behind. For this guide we are going to make a few assumptions, the first is that you have a Linux based system and the second is the Knocknoc Agent and HAproxy is installed already.

~~First, we need to add~~Add the knocknoc-agent ~~user,~~user to the haproxy group. This allows the knocknoc-agent to ~~access~~read and modify the ~~HAproxy socket.~~
ACL.
```
adduser knocknoc-agent haproxy
```
~~Then~~Edit ~~we need to map out a~~the HAproxy configuration ~~file with a few things to ensure we are looking at the right socket, are using an ACL and that ACL is in use for accessing confluence.~~
file.
```
vi /etc/haproxy/haproxy.cfg
```
~~The first thing to check and not here is~~Check the socket configuration under the global ~~section,~~section. ~~this~~This ~~item~~socket ~~should~~is what the agent connects to, in order to control HAproxy, hence the need for permissions. The line will list the location of the ~~socket, the permissions set~~socket and ~~the~~access ~~user~~permissions. ~~and~~For ~~group that has access, for example.~~
example;
```
stats socket /run/haproxy/admin.sock mode 0666 level admin user haproxy group haproxy
```
~~This socket is what the agent connects to, in order to control haproxy, hence the need for permissions. You also need to copy and paste~~Copy the path to the socket and paste into the ~~Knocknoc-admin backend~~ socket path in the Knocknoc admin interface when ~~setting~~creating ~~up an Haproxy~~a backend.
~~Next, we need to configure our~~The frontend definition, in ~~our example we are protecting a Confluence instance. In~~ this ~~example~~example, ~~we are~~is listening for ~~HTTP~~HTTP/s traffic on all interfaces on port 443 and HAproxy is providing the SSL verification from the certificates within the provided directory.
```
frontend https_frontend 
 mode http
 bind *:443 ssl crt /etc/ssl/private/ alpn h2,http/1.1
```
~~There~~Within ~~are~~the frontend definition, we have 3 ACL'~~s defined here;~~s;
1. acl is_confluence hdr(host) confluence.mycompany.com any traffic hitting the url defined ~~here~~ is marked with the ACL "is_confluence"
2. acl is_http hdr(X-Forwarded-Proto) http any traffic that is HTTP and not HTTPS is marked with the ACL "is_http"
3. acl knoc_confluence src -u 500 ~~lastly,~~ is the ~~interaction~~ACL-ID that Knocknoc-agent is interacting with ~~Knocknoc,~~in this ~~ACL~~example. ~~checks~~Users ~~the~~who ~~admin~~have ~~socket~~authenticated ~~from~~to ~~step 3 above. If a user has logged into knocknoc~~Knocknoc and isvia atheir ~~part~~groups ofare ~~the~~granted ~~security~~access ~~group~~to ~~that~~Confluence iswill ~~approved for that ACL~~have their IP ~~will~~added beto ~~reserved~~that ACL-ID. Traffic from the IP's in that ACL-ID ~~500 and traffic from those IP's is~~are marked with the ACL "knoc_confluence".
```
acl is_confluence hdr(host) confluence.mycompany.com
acl is_http hdr(X-Forwarded-Proto) http
acl knoc_confluence src -u 500
```
The ~~second~~below torule ~~last entry in~~within the frontend definition ~~tells HAproxy if~~redirects traffic is marked with the ACL "is_http" ~~redirect~~from itHTTP to HTTPS. Forcing all traffic to be encrypted.
```
  redirect scheme https if is_http is_http 
```
~~The last line, indicates traffic~~Traffic that is marked with the ACL's "is_confluence" and "knoc_confluence" is ~~the~~directed ~~use~~to the backend ~~definition~~ "confluence_backend"
```
use_backend confluence_backend if is_confluence knoc_confluence
```
~~The~~Any ~~last~~traffic ~~thing~~not tothose doACL's receives a 503 error.

Next is ~~define~~ the backend definition ~~we are going to target in~~ the ~~above~~example ~~frontend. A few things to note;~~contains;
1. ~~The~~ backend nameconfluence_backend this has to match the ~~name~~use_backend usedconfluence_backend infrom the ~~frontend.~~frontend definition.
2. The mode, mode inhttp, ~~almost all cases~~which should match the ~~frontend.~~mode from the frontend definition.
3. The server ~~definition~~line; ~~must~~
  1. This contains a ~~name,~~recognizable name for the server, server confluence_server for easy identification and logging.
  2. The IP:Port atof ~~the~~Confluence ~~very~~192.168.0.200:443 ~~least.~~
  HAproxy.
4. ~~In the following example, our server line contains the name confluence_server, with an IP and Port.~~ The ~~additional~~check ~~config~~statement, ~~of "check ssl verify none"~~which tells HAproxy to check ~~the~~Confluence ~~backend~~is ~~server~~up and responding on the ~~port~~IP:Port.
5. ssl seeverify none this statement means HAproxy does not care if the ~~server~~Confluence SSL cert is ~~alive~~valid as SSL termination is happening between the user and toHAproxy. ~~ignore verifying the SSL certificate. This means SSL only need to be maintained on HAProxy, reducing management overhead.~~
```
backend confluence_backend 
 mode http
 server confluence_server 192.168.0.200:443 check ssl verify none
```

~~There is a~~A lot, lot more that can be done with ~~HAProxy~~HAproxy the more familiar you become with ~~it the more confident you will be to use~~ it. Tied with Knocknoc's security integration it can become a fundamental cog in your security machine. Should you need further assistance feel free to reach out to one of our support partners.

Knocknoc Admin Interface Configuration for HAproxy

~~Within~~Click Backends on the ~~Knocknoc~~left.

~~Servers~~

Click ~~admin~~Create ~~interface,~~Backend on the right.
1. Enter a ~~backend~~name that is sensible, for example Server name - HAProxy.
2. Select the Knocknoc-agent that is installed on this server.
3. Backend Type will ~~need~~be toHAProxy.
4. Command Protocol will be ~~created.~~Unix ~~The~~Socket
5. Address will be the ~~one~~location ~~installed~~of the HAProxy socket from the HAProxy config.

Click Create.

Click on ~~this~~ACLs ~~server, and~~on the ~~address~~left.

~~needs~~

Click toCreate ACL on the right.
1. Description will be the ~~path~~name ~~specified in~~of the ~~Global~~Application/Service ~~config~~the ofACL ~~HAproxy~~is for.
2. URL is the external URL the end users will want to reach.
3. The Backend is the one just created.
4. The ACL Name is the ACL-ID from the HAProxy config.

Under Groups on the left, Select the group that requires access to Confluence and click edit and check the box for the ~~socket.~~

Confluence

~~Then we need to create an ACL using the above backend. The ACL name needs to match the ACL ID used in the HAproxy config.~~

~~Now we need to add a Security Group and add this ACL to the security group to allow the IP of the users within the group to be added to ACL 500. Now user~~
ACL.

Note: Group configuration varies, slightly depending on which Authentication source is being used. For guidance of Authentication, Groups and Users please review the documentation.

Additional HAProxy Configuration NotesInformation

HAproxy TCP Socket

The ~~HAproxy~~HAProxy backend also supports a TCP socket, in which case it still expects to talk to the ~~unix~~Unix socket, but it can do so via a TCP redirect. This is most easily accomplished with the spiped utility.

~~knocknoc-~~Knocknoc-agent ships with a script make-spiped-tunnel.sh which can walk you through making an ~~spiped~~ encrypted tunnel via spiped between your ~~knocknoc-~~Knocknoc-agent machine and a remote ~~haproxy.~~HAProxy. It is often easier to deploy ~~knocknoc-~~Knocknoc-agent directly to a machine, but in case this isn't possible, you can use anthe spiped tunnel for this purpose.

Further documentation on this will be added in the near future.

Error Responses

HAproxy can easily send custom 403 or 503 responses to users who aren't allowed to access the backend resource. For example:

This is configured as the default_backend error response in ~~the haproxy~~HAProxy config, so if the ~~http~~HTTP request doesn't match the right source IP or hostname, the above is ~~show~~shown toin the browser. An admin can ~~customise~~customize this to display ~~whatever you like,~~anything, but keep in mind ~~its~~it's ana HTTP response, not an HTML page, so there are limitations. You could of course link people to your Knocknoc instance in the error message, depending on your users and risk profile.

Full
Further haproxy.cfgdocumentation example

on this will be added in the near future.

Example HAProxy configuration file

Below is a full example of a basic default HAProxy configuration ~~file~~file. ~~completed~~It ~~with~~contains the ~~setting~~settings from ~~above.~~above to allow a 1:1 comparison.

global
  log /dev/log local0
  log /dev/log local1 notice
  stats socket /run/haproxy/admin.sock mode 0666 level admin user haproxy group haproxy
  user haproxy
  group haproxy
  daemon
  # Default SSL material locations
  ca-base /etc/ssl/certs
  crt-base /etc/ssl/private
  # Default ciphers to use on SSL-enabled listening sockets.
  # For more information, see ciphers(1SSL). This list is from:
  #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
  ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
  ssl-default-bind-options no-sslv3
  # Default ciphers to use on SSL-enabled listening sockets.
  # For more information, see ciphers(1SSL). This list is from:
  #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
  ssl-default-server-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
  ssl-default-server-options no-sslv3
  nbproc 1

# Defaults
defaults
  log global
  mode http
  option httplog
  option dontlognull
  timeout connect 5000
  timeout client 50000
  timeout server 50000
  errorfile 400 /etc/haproxy/errors/400.http
  errorfile 403 /etc/haproxy/errors/403.http
  errorfile 408 /etc/haproxy/errors/408.http
  errorfile 500 /etc/haproxy/errors/500.http
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http
  errorfile 504 /etc/haproxy/errors/504.http

# Userlist

# Resolvers

# Listen

frontend https_frontend 
 mode http
 bind *:443 ssl crt /etc/ssl/private/ alpn h2,http/1.1

 acl is_confluence hdr(host) confluence.mycompany.com
 acl is_http hdr(X-Forwarded-Proto) http
 acl knoc_confluence src -u 500

 redirect scheme https if is_http 
 use_backend confluence_backend if is_confluence knoc_confluence

backend confluence_backend 
 mode http
 server confluence_server 192.168.0.1:443 check ssl verify none