HAProxy WAF Redundancy ACL
-
I am wondering if anyone can provide insite as to how to configure HAProxy ACLs for failover for redundancy. I configured HAProxy as a RP that sends all https requests to a standalone apache WAF using mod security + OWASP_CRS/3.0.0 + proxypass. Im new to webservers, and wanted a solution in front of it for security. It was an interesting build and can provide details if anyone is interested. I wanted a standalone WAF to handle all traffic for multiple webservers and future webservers.
I am curious if there is a way I can write a few ACL rules that detect the Health Check for a failed WAF and can then switch over routing directly to the webservers. I know this evades security, but the websites are accessible until I can fix the WAF.
My configuration is as follows
Gateway/FW/HAProxy - WAF - HAProxy - Webservers
Frontend: SharedFrontend
WAN 443 SSL Offloading
http/https (offloading)
ACLs- ACL1 Host matches: hostname.domain1.tld
- ACL2 host matches: hostname.domain2.tld
ACT - Use Backend: WAF_ft ACL1
- Use Backend: WAF_ft ACL2
Use Forwardfor option
httpclose: http-keep-aliveCertificate: LetsEncrypt Cert
Backend: WAF_ft
active, name, <waf ip="">8080 No SSL
Balance: None
Health Check: Basic, 5000 mstraffic deemed safe by WAF, returned to RP
Frontend: WAF_SAFE
Listen: LAN## Address 8080 NO SSL Offloading
http/https (offloading)
ACL- safe_traffic Source IP matches: <waf ip="">ACT
- Use Backend: webserver1 safe_traffic
Use Forwardfor option
httpclose: http-keep-alive
Backend: webserver1
active, name, <webserverip>80 No SSL
Balance: None
Health Check: Basic, 5000 msFW ACL VLAN##
Allow IPv4 TCP/UDP
Source: WAF-Source-IP
Dest: LAN## Address Port 8080I used this blog post as guidance, but its a bit dated and isnt using pfsense UI. So im not sure how to implement the concepts in pfsense UI.
http://blog.haproxy.com/2012/10/12/scalable-waf-protection-with-haproxy-and-apache-with-modsecurity/</webserverip></waf></waf>