Knocknoc server behind HAproxy

Running Knocknoc behind HAproxy could be a great option for people with existing HAproxy deployments, or who want to unify certificate and other management tasks.

Here is a sample HAproxy config for Knocknoc as a backend:

frontend Sol1-Frontend
  bind 0.0.0.0:443 ssl crt /etc/ssl/private/star.mydomain.com alpn h2
  bind 0.0.0.0:80
  mode http
  option forwardfor
  acl is_websocket hdr(Upgrade) -i WebSocket
  acl is_websocket hdr_beg(Host) -i ws
  acl hdr_knocknoc hdr(host) -m beg -i knocknoc.mydomain.com
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request redirect scheme https unless { ssl_fc }
  use_backend knocknoc if hdr_knocknoc
  default_backend access_denied

backend access_denied
  mode http
  balance roundrobin
  errorfile 403 /var/www/403.http
  
backend knocknoc
  description Knocknoc
  mode http
  balance roundrobin
  option httpchk HEAD / HTTP/1.1\r\nHost:localhost
  option forwardfor
  server knocknoc 127.0.0.1:8756 check ssl verify none

Note this HAProxy config as a few important features we recommend.

• HTTP/2 is enabled (alpn h2)
• Redirect from http to https
• Websocket support (knocknoc-agent requires this)
• Custom 403 error page
• disabling TLS verification on the knocknoc backend

You will need to match this config to your security and networking needs, but this should get you most of the way there. As long as knocknoc.mydomain.com points at the IP of the HAproxy server, it should proxy into knocknoc and you can go from there.