Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    help setting the Public Key Pinning in HAProxy

    Scheduled Pinned Locked Moved Cache/Proxy
    13 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz

      Tell you what - let me move my site to 443 so I can test it.. And we can work through this together. I currently have on my to do list to work out how to use haproxy to allow me to run openvpn on 443 while also doing sites behind on 443... I currently have it setup on 8443 and openvpn on 443 so I can hit it from work off a proxy.

      Your post will just accelerate my timeline ;) is all.. Was planning on playing with this this weekend. But since I am home an don't need access to openvpn... I can just move to 443 without the need to share..

      Will play with this tmrw and let you know what the test shows ;)

      edit: ok I just disabled my openvpn server on 443 and setup a frontend using the same cert to send to my backend and tested... I would think out of the box just clicking go a B is pretty good.

      0_1549679601983_ssltest.png

      Lets see your results.. I will play with this a bit and see if can get to an A without much issue - I had saw where I could easy restrict to tls 1.2, etc. etc.. But since I lock this down to only my friends an family to access ombi to request stuff for my plex I wasn't too worry about it, etc.. But his is good excuse to set it up with better settings ;)

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        Ok that took all of a couple of minutes

        0_1549680614399_arating.png

        Quick google for hardening ha proxy.. Quick copy paste in the global settings. And now A rating.

        ssl-default-bind-options no-sslv3 no-tls-tickets
        ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
        

        So post up what your concerned about in your report and we can discuss.

        I will for sure look into it deeper, but that was a quick jump from B to A with simple copy paste ;)

        edit: Will have to play with this weekend.. 100 across the board would be the goal ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          Ok played with it a bit more and up to A+ with some minor tweaks, enabled CAA in my dns record, turned on HSTS

          0_1549720294735_aplus.png

          So your worried about the pinning - to be honest not sure that really took off much... But as I finish my coffee before my walk let me see if can get that going.

          edit:
          I would just go here and it will pull your hashes for you
          https://report-uri.com/home/pkp_hash

          edit: Yeah I don't suggest you do pinning from everything I have been reading.. It seems to be a serious problem if you dick it up ;)

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 1
          • L
            luisenrique
            last edited by

            @johnpoz said in help setting the Public Key Pinning in HAProxy:

            ah I don't suggest you do pinning from everything I have been reading.. It seems to be a serious problem if you dick it up ;)

            hi @johnpoz thanks for response.. and sorri... I have been outside the coverage area.
            i wiil chek my config to set my hashes according to the link has u send, and let you know if it work for me
            So every time the certificate changes or is renewed thats hashes most be updated ton the hashes??
            thanks

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Dude my point is there is no point to doing pinning at all.. And if you dick it going forward when you have to renew your certs, etc.

              I don't see how its worth the hassle at all.. Why do you want or think you need to pin?

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              L 1 Reply Last reply Reply Quote 1
              • L
                luisenrique
                last edited by

                @johnpoz said in help setting the Public Key Pinning in HAProxy:

                be honest not sure that really took off much... But as I finish my coffee before my walk let me see if can get that going.
                edit:

                i tested rigth now, but the report say to me me pinin are inclomplete.. son comented entry line and report again and have an A+!
                i wass generated the ssl config here: https://mozilla.github.io/server-side-tls/ssl-config-generator/ for moderns browser.
                i will going to read more about public key pinnin thanks

                1 Reply Last reply Reply Quote 0
                • L
                  luisenrique @johnpoz
                  last edited by

                  @johnpoz I'm not sure, I have my doubts, I should read and investigate more about pinning

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    Yup I completely agree - it took me about 5 minutes of reading to know not something that should be doing ;)

                    Especially with a cert that expires every 90 freaking days ;) Chrome doesn't even support it anymore.. Like back in end of 2017..
                    Did you read the link they send you to for info on it, on their own site they say its dead ;)
                    https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead

                    edit: BTW a few other tweaks, and now 100 across the board.. I removed the 128s from what moz suggest as ciphers, this gets you to 100 on ciphers.. And if your use 4096 or higher AND you set ecdhe secp384r1

                    So in my advanced I have set
                    alpn h2 ecdhe secp384r1

                    You should get A+ with 100 across
                    0_1549970462683_tweakssl.png

                    With no need to PIN ;)

                    And once openssl 1.1.1 comes down the pipe to pfsense we should be able to do TLS 1.3 ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    L 1 Reply Last reply Reply Quote 1
                    • L
                      luisenrique @johnpoz
                      last edited by

                      @johnpoz said in help setting the Public Key Pinning in HAProxy:

                      alpn h2 ecdhe secp384r1

                      thanks for the clarification, and the links has helped me a lot to learn more about the subject. I agree and now I have an A+ too! thanks again

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        We both learned a bit ;) Thanks for the questions, it got me playing with HA proxy and ACME.. I had not had a reason to use them until you brought up the question(s)

                        After that I had no excuse not to use them and fired up a shared port for my openvpn that listens on 443 and then hands off to ha proxy so I can use https with my ombi plex request system via https ;)

                        Win Win all around I would say!

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.