Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy WAF Redundancy ACL

    Scheduled Pinned Locked Moved Cache/Proxy
    1 Posts 1 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • remis4R
      remis4
      last edited by

      I am wondering if anyone can provide insite as to how to configure HAProxy ACLs for failover for redundancy. I configured HAProxy as a RP that sends all https requests to a standalone apache WAF using mod security + OWASP_CRS/3.0.0 + proxypass. Im new to webservers, and wanted a solution in front of it for security. It was an interesting build and can provide details if anyone is interested. I wanted a standalone WAF to handle all traffic for multiple webservers and future webservers.

      I am curious if there is a way I can write a few ACL rules that detect the Health Check for a failed WAF and can then switch over routing directly to the webservers. I know this evades security, but the websites are accessible until I can fix the WAF.

      My configuration is as follows

      Gateway/FW/HAProxy - WAF - HAProxy - Webservers

      Frontend: SharedFrontend
      WAN 443 SSL Offloading
      http/https (offloading)
      ACLs

      • ACL1 Host matches: hostname.domain1.tld
      • ACL2 host matches: hostname.domain2.tld
        ACT
      • Use Backend: WAF_ft ACL1
      • Use Backend: WAF_ft ACL2

      Use Forwardfor option
      httpclose: http-keep-alive

      Certificate: LetsEncrypt Cert

      Backend: WAF_ft
      active, name, <waf ip="">8080 No SSL
      Balance: None
      Health Check: Basic, 5000 ms

      traffic deemed safe by WAF, returned to RP

      Frontend: WAF_SAFE
      Listen: LAN## Address 8080 NO SSL Offloading
      http/https (offloading)
      ACL

      • safe_traffic Source IP matches: <waf ip="">ACT
      • Use Backend: webserver1 safe_traffic
        Use Forwardfor option
        httpclose: http-keep-alive

      Backend: webserver1
      active, name, <webserverip>80 No SSL
      Balance: None
      Health Check: Basic, 5000 ms

      FW ACL VLAN##
      Allow IPv4 TCP/UDP
      Source: WAF-Source-IP
      Dest: LAN## Address Port 8080

      I used this blog post as guidance, but its a bit dated and isnt using pfsense UI. So im not sure how to implement the concepts in pfsense UI.

      http://blog.haproxy.com/2012/10/12/scalable-waf-protection-with-haproxy-and-apache-with-modsecurity/</webserverip></waf></waf>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.