Archive for April 1st, 2025

Protect Application servers against sql injects, redirection handling and click jacking with Haproxy load balancer

Tuesday, April 1st, 2025

 

Lets say you are a system administrator that has to manage haproxy Load Balancers for High Availability that are throwing traffic to a set of 4 Application servers and you do only do a traffic round robin load balancing seemless without modifying the sent traffic. The haproxies are used only to send the frontend traffic towards application machines and then the traffic is returned back via another set of haproxies.


As incoming requests to application frontend is crucial to be secure, i'll give in this article few options that can be turned on in haproxy to strenghten security of backend application (against "hackers" / script kiddies ).

Here is the a sample chunk of haproxy frontend backend configuration you can use in haproxy.cfg config file for the purpose.


  frontend Incoming_Frontend
           bind 10.10.150.8:80 ssl crt /etc/haproxy/certs/your-domain-cert.net_haproxy.pem ca-file /etc/haproxy/certs/CustomCompanyCA.crt verify optional
           mode http
                http-request del-header max-forwards
                http-response set-header X-Frame-Options sameorigin
                http-response replace-header Location http[s]*://[^/:]*[:]*[0-9]*(/.*) \1
              option httplog
              timeout client 600s
              log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r

             default_backend bk_Incoming_Frontend

    backend bk_Incoming_Frontend
           mode http
           balance roundrobin
           timeout server 330s
           timeout connect 4s
           server bk_AppServer_01 10.10.250.40:8088 weight 1 check port 8088 on-marked-down shutdown-sessions
           server bk_AppServer02 10.40.251.30:8088 weight 1 check port 8088 on-marked-down shutdown-sessions
           server bk_AppServer03 10.50.252.40:8088 weight 1 check port 8088 on-marked-down shutdown-sessions
           server bk_AppServer04 10.80.253.50:8088 weight 1 check port 8088 on-marked-down shutdown-sessions

 

The configuration variables that would improve backend security is as so:

  mode http
                http-request del-header max-forwards
                http-response set-header X-Frame-Options sameorigin
                http-response replace-header Location http[s]*://[^/:]*[:]*[0-9]*(/.*) \1
              option httplog

Above config haproxy meaning explained is as follows: 

This HAProxy configuration is set up for handling HTTP traffic with some specific request and response modifications.

Let's go through each directive:

Breakdown of the Configuration:

  1. mode http

    • This tells HAProxy to operate in HTTP mode, meaning it understands and processes HTTP-specific directives (e.g., modifying headers, logging, etc.).

  2. http-request del-header max-forwards

    • This removes the Max-Forwards header from incoming HTTP requests.

    • The Max-Forwards header is used in TRACE or OPTIONS requests to limit the number of hops a request can take.

    • Removing it may help prevent some types of request-loop abuse or simplify routing.

  3. http-response set-header X-Frame-Options sameorigin

    • This sets the X-Frame-Options header in HTTP responses to sameorigin .

    • Purpose: Prevents clickjacking attacks by ensuring that the page can only be embedded in a frame if it’s from the same origin (not by third-party sites).

      For those who don't know Clickjacking is The malicious practice of manipulating a website user's activity by concealing hyperlinks beneath legitimate clickable content, thereby causing the user to perform actions of which they are unaware. For example you click a payment button on a website from a decoy website but instead of paying to the real target site your money are sent to a malicious user's bank account..

  4. http-response replace-header Location http[s]*://[^/:]*[:]*[0-9]*(/.*) \1

    • This modifies the Location header in HTTP responses.

    • It strips out the scheme ( http:// or https:// ), domain, and port, leaving only the path.

    • Example:

      • Before: Location: https://example.com:8080/path/to/resource

      • After: Location: /path/to/resource

    • This ensures that redirects remain relative instead of absolute, which can help in reverse proxy setups.

  5. option httplog

    • Enables detailed logging for HTTP traffic.

    • Logs will include request method, URL, response status, and other useful details for debugging and monitoring.


Purpose of This Configuration:

  • Security:

    • Removing Max-Forwards helps mitigate abuse.

    • X-Frame-Options: sameorigin prevents clickjacking.

  • Redirection Handling:

    • Ensures the backend does not expose internal hostnames or ports in redirects.

  • Logging:

    • Enables HTTP-specific logging for better monitoring and debugging.

This setup is typical for a reverse proxy scenario where HAProxy is fronting backend services while enforcing security measures and keeping responses clean.

What we learned ?

In this short article, we've learned about how to imrpove application security with simple haproxy load balancer by removing Max-forwards (limitation of max hops traffic could have until reaching the destination), the X-Frame-Options that prevents clickjacking and using Redirection Handling to make sure backend does not expose internal  hostnames or ports used in redirects.

Any other meaningful protection options and hints whether proxying traffic with haproxy are mostly welcome to har about in commects section. If you know such help others learn by sharing.