HAProxy SSL setup plus filtering URLs

martin.riess · Mar 23, 2021, 9:24 PM

Hello.

I am new to HAProxy and would like to set up HAProxy to proxy multiple SSL sites that are on servers inside the LAN.
I am unsure about which mode/type to use, HAProxy has 2 modes, pfsense GUI offers 3 types.

To make things interesting, it is important that I only allow access to certain urls of each server.

So far I managed to set up the proxy using ssl type and was able to access the backend server.
BUT (of course) I can't filter by URL then, as HAProxy can only see the SNI and nothing else.

Any suggestions how to properly handle this situation? Is the only solution to block the traffic on the SSL server where the pages reside? (Ending SSL at the HAProxy and continuing plain http is not an option, because of security considerations.)

I'd be glad for some input and help.
Thanks in advance.
M

PiBa · Mar 25, 2021, 10:38 PM

@martin-riess
Without decrypting the traffic it is impossible to filter specific url paths..

Maybe to resolve the secyrity consideration you could re-encrypt the traffic leaving haproxy when it is send to the webservers? There is a ssl checkbox on the server configuration that does that.. Make sure to also configure the ca cert to use for verification then..

Other than that, indeed the servers would need to filter blocked pages themselves.

martin.riess · Mar 26, 2021, 10:34 AM

@piba
Okay, thank you for confirming. I will go with decoding and encoding the traffic. Blocking the traffic at the first possible stop and having one central place for the configuration seems the better option (for me).