Last active
May 31, 2023 05:41
-
-
Save jpawlowski/3f91ef9d0bba49eb0c58 to your computer and use it in GitHub Desktop.
Geeking out with HAproxy on pfSense: The ultimate port 443 TLS/SSL router | http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global | |
maxconn 2000 | |
stats socket /tmp/haproxy.socket level admin | |
uid 80 | |
gid 80 | |
nbproc 1 | |
chroot /tmp/haproxy_chroot | |
daemon | |
tune.ssl.default-dh-param 2048 | |
# Modern browser compatibility only as mentioned here: | |
# https://wiki.mozilla.org/Security/Server_Side_TLS | |
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK | |
# Time-to-first-Byte (TTFB) value needs to be optimized based on | |
# the actual public certificate chain | |
# see https://www.igvita.com/2013/10/24/optimizing-tls-record-size-and-buffering-latency/ | |
tune.ssl.maxrecord 1370 | |
listen HAProxyLocalStats | |
bind 127.0.0.1:2200 name localstats | |
mode http | |
stats enable | |
stats admin if TRUE | |
stats uri /haproxy_stats.php?haproxystats=1 | |
timeout client 5000 | |
timeout connect 5000 | |
timeout server 5000 | |
frontend HTTP_redirect | |
bind 0.0.0.0:80 name 0.0.0.0:80 | |
mode http | |
log global | |
option http-keep-alive | |
timeout client 30000 | |
default_backend _ssl-redirect_http_ipvANY | |
frontend LAN_HTTPS | |
bind 10.108.2.1:443 name 10.108.2.1:443 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/LAN_HTTPS.pem | |
mode http | |
log global | |
option http-keep-alive | |
option forwardfor | |
acl https ssl_fc | |
reqadd X-Forwarded-Proto:\ http if !https | |
reqadd X-Forwarded-Proto:\ https if https | |
timeout client 30000 | |
# Remove headers that expose security-sensitive information. | |
rspidel ^Server:.*$ | |
rspidel ^X-Powered-By:.*$ | |
rspidel ^X-AspNet-Version:.*$ | |
default_backend gwsch01_http_ipvANY | |
# add some security related headers | |
rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval' | |
rspadd X-Frame-Options:\ SAMEORIGIN | |
rspadd X-Content-Type-Options:\ nosniff | |
rspadd X-Xss-Protection:\ 1;\ mode=block | |
frontend WAN_443-merged | |
bind 178.26.150.88:443 name 178.26.150.88:443 | |
mode tcp | |
log global | |
timeout client 7200000 | |
tcp-request inspect-delay 5s | |
# block SSLv3 as early as possible | |
acl sslv3 req.ssl_ver 3 | |
tcp-request content reject if sslv3 | |
tcp-request content accept if { req.ssl_hello_type 1 } or !{ req.ssl_hello_type 1 } | |
acl aclusr_custom_req.ssl_hello_type_201 req.ssl_hello_type 1 | |
acl aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.ssh.example.com req.ssl_sni -m end -i .ssh.example.com | |
acl aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.vpn.example.com req.ssl_sni -m end -i .vpn.example.com | |
acl aclusr_custom_req.len_200 req.len 0 | |
use_backend _WAN_HTTPS_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 !aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.ssh.example.com !aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.vpn.example.com | |
use_backend _WAN_HTTPS_auth_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.vpn.example.com | |
use_backend _openvpn_tcp_ipvANY if aclusr_custom_req.len_200 aclusr_custom_req.ssl_hello_type_201 | |
use_backend _WAN_SSLH_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.ssh.example.com | |
default_backend _none_tcp_ipvANY | |
frontend WAN_HTTPS | |
bind 127.0.0.1:2043 name 127.0.0.1:2043 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/WAN_HTTPS.pem accept-proxy npn http/1.1 | |
mode http | |
log global | |
option http-keep-alive | |
option forwardfor | |
acl https ssl_fc | |
reqadd X-Forwarded-Proto:\ http if !https | |
reqadd X-Forwarded-Proto:\ https if https | |
timeout client 7200000 | |
# Remove headers that expose security-sensitive information. | |
rspidel ^Server:.*$ | |
rspidel ^X-Powered-By:.*$ | |
rspidel ^X-AspNet-Version:.*$ | |
# add some security related headers | |
rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval' | |
rspadd X-Frame-Options:\ SAMEORIGIN | |
rspadd X-Content-Type-Options:\ nosniff | |
rspadd X-Xss-Protection:\ 1;\ mode=block | |
default_backend _none_http_ipvANY | |
frontend WAN_HTTPS_auth-merged | |
bind 127.0.0.1:2044 name 127.0.0.1:2044 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/WAN_HTTPS_auth.pem ca-file /var/etc/haproxy/clientca_WAN_HTTPS_auth.pem verify required accept-proxy npn http/1.1 | |
mode http | |
log global | |
option http-keep-alive | |
option forwardfor | |
acl https ssl_fc | |
reqadd X-Forwarded-Proto:\ http if !https | |
reqadd X-Forwarded-Proto:\ https if https | |
timeout client 7200000 | |
# Remove headers that expose security-sensitive information. | |
rspidel ^Server:.*$ | |
rspidel ^X-Powered-By:.*$ | |
rspidel ^X-AspNet-Version:.*$ | |
# add some security related headers | |
rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval' | |
rspadd X-Frame-Options:\ SAMEORIGIN | |
rspadd X-Content-Type-Options:\ nosniff | |
rspadd X-Xss-Protection:\ 1;\ mode=block | |
acl aclusr_host_matches_gwsch01.vpn.example.com hdr(host) -i gwsch01.vpn.example.com | |
use_backend gwsch01_http_ipvANY if aclusr_host_matches_gwsch01.vpn.example.com | |
default_backend _none_http_ipvANY | |
frontend WAN_SSLH-merged | |
bind 127.0.0.1:2022 name 127.0.0.1:2022 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/WAN_SSLH.pem ca-file /var/etc/haproxy/clientca_WAN_SSLH.pem verify required accept-proxy npn ssh/2.0 | |
mode tcp | |
log global | |
timeout client 7200000 | |
acl aclusr_custom_ssl_fc_sni_reg_20gwsch01.ssh.example.com ssl_fc_sni_reg gwsch01.ssh.example.com | |
acl aclusr_custom_ssl_fc_npn_20-i_20ssh_2f2.0 ssl_fc_npn -i ssh/2.0 | |
use_backend SSH_gwsch01_https_ipvANY if aclusr_custom_ssl_fc_sni_reg_20gwsch01.ssh.example.com aclusr_custom_ssl_fc_npn_20-i_20ssh_2f2.0 | |
default_backend _none_https_ipvANY | |
backend _ssl-redirect_http_ipvANY | |
mode http | |
timeout connect 30000 | |
timeout server 30000 | |
retries 3 | |
option httpchk | |
redirect scheme https code 301 | |
backend gwsch01_http_ipvANY | |
mode http | |
rspadd Strict-Transport-Security:\ max-age=31536000; | |
rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc } | |
timeout connect 3000 | |
timeout server 7200000 | |
retries 2 | |
option httpchk | |
server gwsch01 127.0.0.1:8443 ssl verify none | |
backend _none_tcp_ipvANY | |
mode tcp | |
timeout connect 30000 | |
timeout server 30000 | |
retries 3 | |
option httpchk OPTIONS / | |
server none 127.0.0.1:61235 check inter 1000 disabled | |
backend _WAN_HTTPS_tcp_ipvANY | |
mode tcp | |
timeout connect 30000 | |
timeout server 7200000 | |
retries 3 | |
option httpchk | |
server WAN_HTTPS 127.0.0.1:2043 check-ssl verify none send-proxy | |
backend _WAN_HTTPS_auth_tcp_ipvANY | |
mode tcp | |
timeout connect 30000 | |
timeout server 7200000 | |
retries 3 | |
option httpchk | |
server WAN_HTTPS_auth 127.0.0.1:2044 check-ssl verify none send-proxy | |
backend _openvpn_tcp_ipvANY | |
mode tcp | |
timeout connect 3000 | |
timeout server 7200000 | |
retries 2 | |
option httpchk | |
server openvpn1 127.0.0.1:1194 | |
backend _WAN_SSLH_tcp_ipvANY | |
mode tcp | |
timeout connect 30000 | |
timeout server 7200000 | |
retries 3 | |
option httpchk | |
server WAN_SSLH 127.0.0.1:2022 check-ssl verify none send-proxy | |
backend _none_http_ipvANY | |
mode http | |
timeout connect 30000 | |
timeout server 30000 | |
retries 3 | |
option httpchk OPTIONS / | |
server none 127.0.0.1:61235 check inter 1000 disabled | |
backend _none_https_ipvANY | |
mode tcp | |
timeout connect 30000 | |
timeout server 30000 | |
retries 3 | |
option httpchk OPTIONS / | |
server none 127.0.0.1:61235 check inter 1000 disabled | |
backend SSH_gwsch01_https_ipvANY | |
mode tcp | |
timeout connect 3000 | |
timeout server 7200000 | |
retries 2 | |
option httpchk | |
server ssh_gwsch01 127.0.0.1:22 |
Nope, I no longer use pfSense nor HAproxy here, sorry
No worries. Thanks for answer!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Any intendations to update these to newer pfSense/HAProxy? Many things are changed since these configs. Screenshots from pfSense UI would be also super helpful to easier understand what goes where. Thanks in advance!
I have problems to get SSH proxy to work. Can't get even healthy backend.