Like all the literature says this is a high capacity load balancing proxy. It is like a Swiss army knife for hosting. This will be the base for our host platform and redirecting our web traffic to the back end hosting servers. This proxy can also redirect other protocols other than plain web traffic, at the moment it can do other TCP based protocols. Bonus, It will work alongside SQUID as well without an issue, unless you use SQUID as your reverse proxy! Then you will have to choose!

Before we get into the nuts and bolts of setting up a pretty basic reverse proxy with HaProxy, we have to make some changes to better secure and route our traffic.

First off, if you have taken the steps to generate some certificates with Let’s Encrypt and the acme package then perfect.

So let’s go on to setting our NAT rules and port redirects

Menu / Firewall / NAT

For right now we are going to create two port forwards on our WAN, they could theoretically go to any IP you designate virtually. I used localhost since it won’t be confused or possibly used anywhere but the firewall itself. It is simpler to setup and make work without too much fanfare. This will be the IP address that HaProxy will listen on. You will see two firewall rules created on your WAN interface and then we are all set to go.

We will head over to Services / HAProxy / Settings

For a pretty modest and basic setup, you can leave all the settings at default except two, the Maximum connections should be at least 5000 to 10000 and Custom options.

If you want an A rating from Qualys

https://www.ssllabs.com/ssltest/

You want to put in this code into the Custom options box, these can be tweaked to better harden your security or improve your grade!

# Modern browser compatibility only as mentioned here:

# https://wiki.mozilla.org/Security/Server_Side_TLS

ssl-default-bind-options no-sslv3 no-tlsv10 no-tls-tickets

ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

tune.ssl.default-dh-param 2048

tune.ssl.maxrecord 1370

ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

Please note the above box introduces Windows new lines, the text has been wrapped!

The last two things we have to concern ourselves with is the concept of Frontend and Backend. Haproxy since it is a load balancing proxy it has more features than this document will cover. There is one other feature you can use for when a backend is offline. It will serve a static service error offline page. If we go to templates we can generate a default Error page and remove the old entry.

Before we begin, the backend services have to be configured first. Otherwise the frontend will not have a service to attach to. This is pretty easy to understand and configure, give it a name that makes logical sense plop in the IP address and port of the server or service in question and save.

All other settings can be left as default unless you require some fancy setup.

For the Health check, if we have an SSL site for the backend we should just use “Basic” checks.

Since we have two different protocols like SSL and Non-SSL, I have created two frontends to handle the two types of web traffic

I will start with the HTTPS traffic first, this will be the foundation in which we use to redirect to. We want to make sure we have chosen under Type

"http https(offloading)"

This is after we input the listen address and port number HaProxy is listening on.

It is really important to ensure the SSL Offloading box is checked or you will not be able to process security certificates.

You will see Access Control lists and Actions, you can think of ACL as what do you want the service to do when it gets a header match, which will be most likely your domain website name. So when a match happens, under Actions you want the traffic to be directed to your backend server or service.

The order of the entries in the ACL do matter, so keep that in mind, keep your base domain last (i.e. mydomain.com)

You can match names through various methods such as host name contains or specific matching criteria.

Now the fun part, you will see an SSL Offloading section, you will have to choose one main certificate and then under additional certificates if you host more than one website or service you can add more. All the certificates created using Lets’ encrypt and acme will be available to be added here. Most modern web browsers are SNI capable and this is how Haproxy can serve multiple SSL sites.

In the SSL Offloading section of your Frontend in the advanced options you need to add this line. Helps guard against Poodle attack!

I would leave all other checkboxes empty since this will complicate our simple setup.

Lastly but not least the HTTP Frontend traffic, this will be the traffic that hits the web address bar in most browsers as a user types it in.

I mirrored what I created in the SSL Frontend and I use the following syntax in the Actions section to create our redirects!

http-request redirect – Action to take

rule: scheme https code 301 – Rule to apply

I have used two sites to test this to ensure it works correctly. The last thing you want is a low rating from Google®

http://redirectcheck.com/

http://www.redirect-checker.org/index.php

The reason we do this is for google ranking, if your site uses a permanent redirect you won’t get as penalized.

Conceptual Network Diagrams

In my setup I have an actual NAT redirect for internal users who operate on the same subnet and try to hit the Internet facing site which of course is internal and most security appliances have explicit deny rules to stop this behaviour. I choose not to do split DNS since this can become messy and riddled with problems especially when you throw Site to site VPN’s into the mix. I also choose not to have users access the server site directly, since it can cause route confusion which causes more traffic to operate over the VPN in the case of said Site to Site VPN’s basically creates a bridge to nowhere. It is a security risk for internal access from internal users to access directly.

Haproxy does all the heavy lifting with the security SSL certificates, and my backend is under my control. I think it is safe to leave those servers running on unencrypted channels, thus reducing some of the overhead and packet process.

In a perfect world all your various networks should be isolated from each other especially your mission critical servers and infrastructure. All channels should be secured, encrypted, monitored and managed, so I have included what I was trying to achieve with the budget and time constraints in place.

As of this document

Machine used in this example environment

VMware Virtual Machine

• Intel(R) Xeon(R) CPU E5507 @ 2.27GHz, 2GB RAM
• PfSense® 2.4.0-RELEASE (amd64)
• acme 0.1.21
• haproxy 0.52_14

References

https://doc.pfsense.org/index.php/Haproxy_package

https://blog.briantruscott.com/how-to-serve-multiple-domains-from-a-single-public-ip-using-haproxy-on-pfsense/