Skip to content

Instantly share code, notes, and snippets.

@jpawlowski
Last active May 31, 2023 05:41
Show Gist options
  • Save jpawlowski/3f91ef9d0bba49eb0c58 to your computer and use it in GitHub Desktop.
Save jpawlowski/3f91ef9d0bba49eb0c58 to your computer and use it in GitHub Desktop.
Geeking out with HAproxy on pfSense: The ultimate port 443 TLS/SSL router | http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate
global
maxconn 2000
stats socket /tmp/haproxy.socket level admin
uid 80
gid 80
nbproc 1
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
# Modern browser compatibility only as mentioned here:
# https://wiki.mozilla.org/Security/Server_Side_TLS
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
# Time-to-first-Byte (TTFB) value needs to be optimized based on
# the actual public certificate chain
# see https://www.igvita.com/2013/10/24/optimizing-tls-record-size-and-buffering-latency/
tune.ssl.maxrecord 1370
listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats uri /haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000
frontend HTTP_redirect
bind 0.0.0.0:80 name 0.0.0.0:80
mode http
log global
option http-keep-alive
timeout client 30000
default_backend _ssl-redirect_http_ipvANY
frontend LAN_HTTPS
bind 10.108.2.1:443 name 10.108.2.1:443 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/LAN_HTTPS.pem
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
reqadd X-Forwarded-Proto:\ http if !https
reqadd X-Forwarded-Proto:\ https if https
timeout client 30000
# Remove headers that expose security-sensitive information.
rspidel ^Server:.*$
rspidel ^X-Powered-By:.*$
rspidel ^X-AspNet-Version:.*$
default_backend gwsch01_http_ipvANY
# add some security related headers
rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval'
rspadd X-Frame-Options:\ SAMEORIGIN
rspadd X-Content-Type-Options:\ nosniff
rspadd X-Xss-Protection:\ 1;\ mode=block
frontend WAN_443-merged
bind 178.26.150.88:443 name 178.26.150.88:443
mode tcp
log global
timeout client 7200000
tcp-request inspect-delay 5s
# block SSLv3 as early as possible
acl sslv3 req.ssl_ver 3
tcp-request content reject if sslv3
tcp-request content accept if { req.ssl_hello_type 1 } or !{ req.ssl_hello_type 1 }
acl aclusr_custom_req.ssl_hello_type_201 req.ssl_hello_type 1
acl aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.ssh.example.com req.ssl_sni -m end -i .ssh.example.com
acl aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.vpn.example.com req.ssl_sni -m end -i .vpn.example.com
acl aclusr_custom_req.len_200 req.len 0
use_backend _WAN_HTTPS_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 !aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.ssh.example.com !aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.vpn.example.com
use_backend _WAN_HTTPS_auth_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.vpn.example.com
use_backend _openvpn_tcp_ipvANY if aclusr_custom_req.len_200 aclusr_custom_req.ssl_hello_type_201
use_backend _WAN_SSLH_tcp_ipvANY if aclusr_custom_req.ssl_hello_type_201 aclusr_custom_req.ssl_sni_20-m_20end_20-i_20.ssh.example.com
default_backend _none_tcp_ipvANY
frontend WAN_HTTPS
bind 127.0.0.1:2043 name 127.0.0.1:2043 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/WAN_HTTPS.pem accept-proxy npn http/1.1
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
reqadd X-Forwarded-Proto:\ http if !https
reqadd X-Forwarded-Proto:\ https if https
timeout client 7200000
# Remove headers that expose security-sensitive information.
rspidel ^Server:.*$
rspidel ^X-Powered-By:.*$
rspidel ^X-AspNet-Version:.*$
# add some security related headers
rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval'
rspadd X-Frame-Options:\ SAMEORIGIN
rspadd X-Content-Type-Options:\ nosniff
rspadd X-Xss-Protection:\ 1;\ mode=block
default_backend _none_http_ipvANY
frontend WAN_HTTPS_auth-merged
bind 127.0.0.1:2044 name 127.0.0.1:2044 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/WAN_HTTPS_auth.pem ca-file /var/etc/haproxy/clientca_WAN_HTTPS_auth.pem verify required accept-proxy npn http/1.1
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
reqadd X-Forwarded-Proto:\ http if !https
reqadd X-Forwarded-Proto:\ https if https
timeout client 7200000
# Remove headers that expose security-sensitive information.
rspidel ^Server:.*$
rspidel ^X-Powered-By:.*$
rspidel ^X-AspNet-Version:.*$
# add some security related headers
rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval'
rspadd X-Frame-Options:\ SAMEORIGIN
rspadd X-Content-Type-Options:\ nosniff
rspadd X-Xss-Protection:\ 1;\ mode=block
acl aclusr_host_matches_gwsch01.vpn.example.com hdr(host) -i gwsch01.vpn.example.com
use_backend gwsch01_http_ipvANY if aclusr_host_matches_gwsch01.vpn.example.com
default_backend _none_http_ipvANY
frontend WAN_SSLH-merged
bind 127.0.0.1:2022 name 127.0.0.1:2022 ssl no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11 crt /var/etc/haproxy/WAN_SSLH.pem ca-file /var/etc/haproxy/clientca_WAN_SSLH.pem verify required accept-proxy npn ssh/2.0
mode tcp
log global
timeout client 7200000
acl aclusr_custom_ssl_fc_sni_reg_20gwsch01.ssh.example.com ssl_fc_sni_reg gwsch01.ssh.example.com
acl aclusr_custom_ssl_fc_npn_20-i_20ssh_2f2.0 ssl_fc_npn -i ssh/2.0
use_backend SSH_gwsch01_https_ipvANY if aclusr_custom_ssl_fc_sni_reg_20gwsch01.ssh.example.com aclusr_custom_ssl_fc_npn_20-i_20ssh_2f2.0
default_backend _none_https_ipvANY
backend _ssl-redirect_http_ipvANY
mode http
timeout connect 30000
timeout server 30000
retries 3
option httpchk
redirect scheme https code 301
backend gwsch01_http_ipvANY
mode http
rspadd Strict-Transport-Security:\ max-age=31536000;
rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
timeout connect 3000
timeout server 7200000
retries 2
option httpchk
server gwsch01 127.0.0.1:8443 ssl verify none
backend _none_tcp_ipvANY
mode tcp
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server none 127.0.0.1:61235 check inter 1000 disabled
backend _WAN_HTTPS_tcp_ipvANY
mode tcp
timeout connect 30000
timeout server 7200000
retries 3
option httpchk
server WAN_HTTPS 127.0.0.1:2043 check-ssl verify none send-proxy
backend _WAN_HTTPS_auth_tcp_ipvANY
mode tcp
timeout connect 30000
timeout server 7200000
retries 3
option httpchk
server WAN_HTTPS_auth 127.0.0.1:2044 check-ssl verify none send-proxy
backend _openvpn_tcp_ipvANY
mode tcp
timeout connect 3000
timeout server 7200000
retries 2
option httpchk
server openvpn1 127.0.0.1:1194
backend _WAN_SSLH_tcp_ipvANY
mode tcp
timeout connect 30000
timeout server 7200000
retries 3
option httpchk
server WAN_SSLH 127.0.0.1:2022 check-ssl verify none send-proxy
backend _none_http_ipvANY
mode http
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server none 127.0.0.1:61235 check inter 1000 disabled
backend _none_https_ipvANY
mode tcp
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server none 127.0.0.1:61235 check inter 1000 disabled
backend SSH_gwsch01_https_ipvANY
mode tcp
timeout connect 3000
timeout server 7200000
retries 2
option httpchk
server ssh_gwsch01 127.0.0.1:22
@Knud3
Copy link

Knud3 commented Mar 3, 2023

Any intendations to update these to newer pfSense/HAProxy? Many things are changed since these configs. Screenshots from pfSense UI would be also super helpful to easier understand what goes where. Thanks in advance!

I have problems to get SSH proxy to work. Can't get even healthy backend.

@jpawlowski
Copy link
Author

Nope, I no longer use pfSense nor HAproxy here, sorry

@Knud3
Copy link

Knud3 commented Mar 3, 2023

No worries. Thanks for answer!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment