Need help with configuring HA Proxy to deny access to a login page behind the firewall

PF4PFS

Hi all
I am a beginner level HAProxy user and I am trying to use HA proxy to deny access from outside to an inside web page .
I am sharing photos with my family using an internal server
The pictures are at http://192.168.111.139:8080/sharing_poto_folder/albumname
This is published using PAT to via PFSense's WAN IP
PF Sense itslef is behind an ISP firewall which also forwards port 8080, so it is like this

Client ◄ -------► ISP FW (fwds 8080 to PFSense) ◄-------►PFSense(fwds 8080 to photo archive) ◄-----►Photoarchive (8080 WEB Server)

If the user/hacker tries to use http://ISP_public_ip:8080/ the request is sent all the way to Photoarchive which rediredcs to http://ISP_public_ip:8080/cgi-bin/ which is a login screen,
As per the wireshark logs I can see at some point it is asking for a page called login.html
I do not want potential users/hackers to have access to that at all
They should be able to access just
http://public_ip:8080/sharing_poto_folder/albumname
but the sharing_photo_folder and the album name are variable

I have tried all sort of combinations and nothing works
Before asking any specifics I would like to confirm if my understanding of the way HAProxy work is correct

In the Frontend tab, the proxy is configured to listen/work on one ore more IP addresses and ports (WAN IP:8080 in my case)
Then a HAProxy type is selected (http/https offloading in my case -the connection is not secure -just http)
One ore more ACLs can be defined and then these are associated with Actions.
If none of the above ACLs checks then the traffic will hit the default Backend

The Back End tab allows you to define pools of servers (just one server in my case)
More specific ACLs/Actions can be defined per server if needed but I am not using that
Check conditions can be defined for each server to see if it is alive

Now in my case I the above translate to these and obsoletely nothing happens

Stats page looks like this

syslog page is pristine -nothing (not even healthcheks) shows up other than the reboot caused messages

Config file looks like this

# Automaticaly generated, dont edit manually.
# Generated on: 2023-10-09 14:31
global
	maxconn			10000
	log			192.168.111.139	local7	debug
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	log-send-hostname		HAProxy
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats refresh 5
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend Archive
	bind			10.0.10.197:8080 name 10.0.10.197:8080   
	mode			http
	log			global
	option			log-separate-errors
	option			httplog
	option			http-keep-alive
	timeout client		30000
	acl			BlockAnythingElse	var(txn.txnpath) -m sub -i qumagie
	acl			Photos	var(txn.txnpath) -m sub -i qumagies
	http-request set-var(txn.txnpath) path
	http-request deny deny_status 403  if  !BlockAnythingElse 
	use_backend Archive_ipvANY  if  Photos 

backend Archive_ipvANY
	mode			http
	id			100
	log			global
	option			log-health-checks
	http-check		send meth GET
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	option			httpchk
	server			Archive 192.168.111.139:8080 id 101 check inter 2000

What am I missing?

viragomann

@PF4PFS
Yes, HAproxy work this way.

What exactly is the ACL value "qumagie"? Is this really a part of the path to the photos folder?
And you want prohibit any other path?

obsoletely nothing happens

"Nothing" means really nothing? Timeout?

Are you able to access the backend server if you simply forward the traffic?

If yes, remove the actions and state the default backend for testing if it's generally working, when the traffic is passed through HAproxy.

PF4PFS

@viragomann
Yes qumagie is in the path and any reqiest to access any other url that does not contain qumagie should be denied

By that I meant nothing from HAProxy perspective. It is like it is not there. The syslog server is clean nothing there I could use to troubleshoot, and I can reach the server from oitside without any issue

viragomann

@PF4PFS

@PF4PFS said in Need help with configuring HA Proxy to deny access to a login page behind the firewall:

I can reach the server from oitside without any issue

You can reach your photo archive from outside? So possibly you have still a NAT port forwarding rule in place. This would bypass HAproxy.

Yes qumagie is in the path and any reqiest to access any other url that does not contain qumagie should be denied

So currently it blocks any requests which includes "qumagie" in its path and then forwards any out of the rest which includes "qumagies". I geuss, there are not really many requests left for the latter action to be passed. So maybe you want to change the actions order.
Also possibly there is a typo in the latter one, since it differs from the other.

Anyway it's not clear to from the rules, what you intend to block and what to pass.

If you just want to pass only request with "qumagie" within the path, the deny rule is only necessary if you have set a default gateway.

PF4PFS

@viragomann
All the guides I read seemed to suggest that you first need to open the port 8080 (needed for this) ...so that is taken care by port forwarding and it is working
After that you need to configure the HA Proxy to look into the packets and intercept anything that does not have "qumagie" in the url and deny it.
If qumagie is present in the url (aka path) then forward that request to the backend

The alternative would be a one liner to block anything that goes to the login page but that did not work either

So to recap:
-you are saying that it is either port forwarding or HAProxy , and not both
-I hope it is not clear what the rules are trying to do

viragomann

@PF4PFS
As mentioned, if you have a port forwarding rule in place redirecting port 8080 to the backend server, HAproxy never sees these traffic.

Note that the HAproxy actions are processed from the top to the bottom. So if you deny a certain request it cannot be passed anymore for comprehensible reasons.

The alternative would be a one liner to block anything that goes to the login page but that did not work either

In conjunction with a default backend.

PF4PFS

@viragomann ok I will try to disable the port forwarding
the first rune has a NOT there (if it does not contain qumagie deny the connection)
the second says if it contains qumagie then let it pass send it to the backend

viragomann

@PF4PFS said in Need help with configuring HA Proxy to deny access to a login page behind the firewall:

the first rune has a NOT there (if it does not contain qumagie deny the connection)
the second says if it contains qumagie then let it pass send it to the backend

So well, didn't consider the negation. Then it would pass the traffic naturally.

PF4PFS

@viragomann
Finally making some progress:
-I disabled port forwarding
-I also had a NAT 1:1 in place damn ...

I am now getting access denied for the non qumagie urls and a blank page for the qumagie things so I now have something that I can troubleshoot
thanks a lot for the directions

What do I have to do to have log for haproxy under Status /Package Logs /haproxy
I am only seeing this

Last 1 haproxy Log Entries. (Maximum 500)
Log file started.

viragomann

@PF4PFS
Enter a path to a log (/var/run/log) file at "Remote syslog host" in the HAproxy general settings.

As mentioned above, I would remove all actions and only state a default backend for investigation, to see if the site works basicall through HAproxy.