HAproxy
HAproxy is fantastic reverse proxy with a massive amount of features. Knocknoc has supported HAproxy for years, and integrates with it natively. HAproxy can be a little confusing at first due to its wide array of options and implementations, for now we'll walk through some basic configuration for use in front of Confluence.
Note: If you are reading this page, you should already have your Knocknoc Server and Agent setup as this guide will assume you are at least aware of the features being addressed.
HAproxy Configuration via the Admin Socket
Knocknoc supports HAproxy's admin socket, this interaction is how the access control list (ACL) within HAproxy is updated to allow your users to access the protected application behind. For this guide we are going to make a few assumptions, the first is that you have a Linux based system and the second is the Knocknoc Agent and HAproxy is installed already.
- Add the knocknoc-agent user to the haproxy group. This allows the knocknoc-agent to read and modify the ACL.
adduser knocknoc-agent haproxy
- Edit the HAproxy configuration file.
vi /etc/haproxy/haproxy.cfg
- Check the socket configuration under the global section. This socket is what the agent connects to, in order to control HAproxy, hence the need for permissions. The line will list the location of the socket and access permissions. For example;
stats socket /run/haproxy/admin.sock mode 0666 level admin user haproxy group haproxy
Copy the path to the socket this will be required when
wesettingaccessup the backend in the Knocknoc admininterface and create the backend.interface. - The frontend definition, in this example, is listening for HTTP/s traffic on all interfaces on port 443 and HAproxy is providing the SSL verification from the certificates within the provided directory.
frontend https_frontend mode http bind *:443 ssl crt /etc/ssl/private/ alpn h2,http/1.1
- Within the frontend definition, we have 3 ACL's;
-
acl is_confluence hdr(host) confluence.mycompany.com
any traffic hitting the url defined is marked with the ACL "is_confluence" -
acl is_http hdr(X-Forwarded-Proto) http
any traffic that is HTTP and not HTTPS is marked with the ACL "is_http" -
acl knoc_confluence src -u 500
is the ACL-ID that Knocknoc-agent is interacting with in this example. Users who have authenticated to Knocknoc and via their groups are granted access to Confluence will have their IP added to that ACL-ID. Traffic from the IP's in that ACL-ID are marked with the ACL "knoc_confluence".acl is_confluence hdr(host) confluence.mycompany.com acl is_http hdr(X-Forwarded-Proto) http acl knoc_confluence src -u 500
-
- The below rule within the frontend definition redirects traffic marked with the ACL "is_http" from HTTP to HTTPS. Forcing all traffic to be encrypted.
redirect scheme https if is_http
-
Traffic that is marked with the ACL's "is_confluence" and "knoc_confluence" is directed to the backend "confluence_backend"
use_backend confluence_backend if is_confluence knoc_confluence
- Any traffic not those ACL's receives a 503 error.
- Next is the backend definition the example contains;
backend confluence_backend
this has to match theuse_backend confluence_backend
from the frontend definition.- The mode,
mode http
, which should match the mode from the frontend definition. - The server line;
- This contains a recognizable name for the server,
server confluence_server
for easy identification and logging. - The IP:Port of Confluence
192.168.0.200:443
behind HAproxy. - The
check
statement, which tells HAproxy to check Confluence is up and responding on the IP:Port. ssl verify none
this statement means HAproxy does not care if the Confluence SSL cert is valid as SSL termination is happening between the user and HAproxy.backend confluence_backend mode http server confluence_server 192.168.0.200:443 check ssl verify none
- This contains a recognizable name for the server,
A lot, lot more that can be done with HAproxy the more familiar you become with it. Tied with Knocknoc's security integration it can become a fundamental cog in your security machine. Should you need further assistance feel free to reach out to one of our support partners.
Knocknoc Admin Interface Configuration for HAproxy
- Click Backends on the left.
- Click Create Backend on the right.
- Click Create.
- Click on ACLs on the left.
- Click Create ACL on the right.
- Under Groups on the left, Select the group that requires access to Confluence and click edit and check the box for the Confluence ACL.
Note: Group configuration varies, slightly depending on which Authentication source is being used. For guidance of Authentication, Groups and Users please review the documentation.
Additional HAProxy Configuration Information
HAproxy TCP Socket
The HAProxy backend also supports a TCP socket, in which case it still expects to talk to the Unix socket, but it can do so via a TCP redirect. This is most easily accomplished with the spiped utility.
Knocknoc-agent ships with a script make-spiped-tunnel.sh which can walk you through making an encrypted tunnel via spiped between your Knocknoc-agent machine and a remote HAProxy. It is often easier to deploy Knocknoc-agent directly to a machine, but in case this isn't possible, you can use the spiped tunnel for this purpose.
Further documentation on this will be added in the near future.
Error Responses
HAproxy can easily send custom 403 or 503 responses to users who aren't allowed to access the backend resource. For example:
This is configured as the default_backend error response in HAProxy config, so if the HTTP request doesn't match the right source IP or hostname, the above is shown in the browser. An admin can customize this to display anything, but keep in mind it's a HTTP response, not an HTML page, so there are limitations. You could of course link people to your Knocknoc instance in the error message, depending on your users and risk profile.
Further documentation on this will be added in the near future.
Example HAProxy configuration file
Below is a full example of a basic default HAProxy configuration file. It contains the settings from above to allow a 1:1 comparison.
global
log /dev/log local0
log /dev/log local1 notice
stats socket /run/haproxy/admin.sock mode 0666 level admin user haproxy group haproxy
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-server-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-server-options no-sslv3
nbproc 1
# Defaults
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# Userlist
# Resolvers
# Listen
frontend https_frontend
mode http
bind *:443 ssl crt /etc/ssl/private/ alpn h2,http/1.1
acl is_confluence hdr(host) confluence.mycompany.com
acl is_http hdr(X-Forwarded-Proto) http
acl knoc_confluence src -u 500
redirect scheme https if is_http
use_backend confluence_backend if is_confluence knoc_confluence
backend confluence_backend
mode http
server confluence_server 192.168.0.1:443 check ssl verify none