Lets say you are a system administrator that has to manage haproxy Load Balancers for High Availability that are throwing traffic to a set of 4 Application servers and you do only do a traffic round robin load balancing seemless without modifying the sent traffic. The haproxies are used only to send the frontend traffic towards application machines and then the traffic is returned back via another set of haproxies.
As incoming requests to application frontend is crucial to be secure, i'll give in this article few options that can be turned on in haproxy to strenghten security of backend application (against "hackers" / script kiddies ).
Here is the a sample chunk of haproxy frontend backend configuration you can use in haproxy.cfg config file for the purpose.
frontend Incoming_Frontend
bind 10.10.150.8:80 ssl crt /etc/haproxy/certs/your-domain-cert.net_haproxy.pem ca-file /etc/haproxy/certs/CustomCompanyCA.crt verify optional
mode http
http-request del-header max-forwards
http-response set-header X-Frame-Options sameorigin
http-response replace-header Location http[s]*://[^/:]*[:]*[0-9]*(/.*) \1
option httplog
timeout client 600s
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}rdefault_backend bk_Incoming_Frontend
backend bk_Incoming_Frontend
mode http
balance roundrobin
timeout server 330s
timeout connect 4s
server bk_AppServer_01 10.10.250.40:8088 weight 1 check port 8088 on-marked-down shutdown-sessions
server bk_AppServer02 10.40.251.30:8088 weight 1 check port 8088 on-marked-down shutdown-sessions
server bk_AppServer03 10.50.252.40:8088 weight 1 check port 8088 on-marked-down shutdown-sessions
server bk_AppServer04 10.80.253.50:8088 weight 1 check port 8088 on-marked-down shutdown-sessions
The configuration variables that would improve backend security is as so:
mode http
http-request del-header max-forwards
http-response set-header X-Frame-Options sameorigin
http-response replace-header Location http[s]*://[^/:]*[:]*[0-9]*(/.*) \1
option httplog
Above config haproxy meaning explained is as follows:
This HAProxy configuration is set up for handling HTTP traffic with some specific request and response modifications.
Let's go through each directive:
Breakdown of the Configuration:
-
mode http
-
This tells HAProxy to operate in HTTP mode, meaning it understands and processes HTTP-specific directives (e.g., modifying headers, logging, etc.).
-
-
http-request del-header max-forwards
-
This removes the
Max-Forwards
header from incoming HTTP requests. -
The
Max-Forwards
header is used in TRACE or OPTIONS requests to limit the number of hops a request can take. -
Removing it may help prevent some types of request-loop abuse or simplify routing.
-
-
http-response set-header X-Frame-Options sameorigin
-
This sets the
X-Frame-Options
header in HTTP responses tosameorigin
. -
Purpose: Prevents clickjacking attacks by ensuring that the page can only be embedded in a frame if it’s from the same origin (not by third-party sites).
For those who don't know Clickjacking is The malicious practice of manipulating a website user's activity by concealing hyperlinks beneath legitimate clickable content, thereby causing the user to perform actions of which they are unaware. For example you click a payment button on a website from a decoy website but instead of paying to the real target site your money are sent to a malicious user's bank account..
-
-
http-response replace-header Location http[s]*://[^/:]*[:]*[0-9]*(/.*) \1
-
This modifies the
Location
header in HTTP responses. -
It strips out the scheme (
http://
orhttps://
), domain, and port, leaving only the path. -
Example:
-
Before:
Location: https://example.com:8080/path/to/resource
-
After:
Location: /path/to/resource
-
-
This ensures that redirects remain relative instead of absolute, which can help in reverse proxy setups.
-
-
option httplog
-
Enables detailed logging for HTTP traffic.
-
Logs will include request method, URL, response status, and other useful details for debugging and monitoring.
-
Purpose of This Configuration:
-
Security:
-
Removing
Max-Forwards
helps mitigate abuse. -
X-Frame-Options: sameorigin
prevents clickjacking.
-
-
Redirection Handling:
-
Ensures the backend does not expose internal hostnames or ports in redirects.
-
-
Logging:
-
Enables HTTP-specific logging for better monitoring and debugging.
-
This setup is typical for a reverse proxy scenario where HAProxy is fronting backend services while enforcing security measures and keeping responses clean.
What we learned ?
In this short article, we've learned about how to imrpove application security with simple haproxy load balancer by removing Max-forwards (limitation of max hops traffic could have until reaching the destination), the X-Frame-Options that prevents clickjacking and using Redirection Handling to make sure backend does not expose internal hostnames or ports used in redirects.
Any other meaningful protection options and hints whether proxying traffic with haproxy are mostly welcome to har about in commects section. If you know such help others learn by sharing.