Knocknoc server behind HAproxy
Running Knocknoc behind HAproxy could be a great option for people with existing HAproxy deployments, or who want to unify certificate and other management tasks.
Here is a sample HAproxy config for Knocknoc as a backend:
frontend Sol1-Frontend
bind 0.0.0.0:443 ssl crt /etc/ssl/private/star.mydomain.com alpn h2
bind 0.0.0.0:80
mode http
option forwardfor
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
acl hdr_knocknoc hdr(host) -m beg -i knocknoc.mydomain.com
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request redirect scheme https unless { ssl_fc }
use_backend knocknoc if hdr_knocknoc
default_backend access_denied
backend access_denied
mode http
balance roundrobin
errorfile 403 /var/www/403.http
backend knocknoc
description Knocknoc
mode http
balance roundrobin
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
option forwardfor
server knocknoc 127.0.0.1:8756 check ssl verify none
Note this HAProxy config as a few important features we recommend.
- HTTP/2 is enabled (alpn h2)
- Redirect from http to https
- Websocket support (knocknoc-agent requires this)
- Custom 403 error page
- disabling TLS verification on the knocknoc backend
You will need to match this config to your security and networking needs, but this should get you most of the way there. As long as knocknoc.mydomain.com points at the IP of the HAproxy server, it should proxy into knocknoc and you can go from there.
Option forwardfor is important, as it makes sure the orginal IP is sent to knocknoc, not the source IP of the proxy. This is where the TrustedForwarders setting in knocknoc.conf is important, as that sets who is allowed to send that header.