In this post, we will go through several methods of securing an HAProxy setup as we talked previous on how to secure nginx. We will discuss Access Control Lists (ACLs), rate limiting, and GeoIP blocking. We will also look at only allowing traffic from specific networks such as Cloudflare.

1. Access Control Lists (ACLs)

HAProxy uses ACLs to test some condition and perform an action based on the test result. Here’s an example of allowing a specific IP address:

frontend http_front
  bind *:80
  acl allowed_ip src 192.168.1.100
  http-request allow if allowed_ip
  http-request deny if !allowed_ip

In the example above, HAProxy allows requests only from the IP address 192.168.1.100 and denies the rest.

2. Rate Limiting

Rate limiting can be achieved in HAProxy using the stick-tables. Here is an example:

frontend http_front
  bind *:80
  stick-table type ip size 200k expire 10s store http_req_rate(10s)
  tcp-request connection track-sc1 src
  tcp-request connection reject if { src_http_req_rate gt 10 }

In this example, we limit the client IP to 10 HTTP requests every 10 seconds.

3. Allow only Cloudflare IPs

To only allow traffic from Cloudflare, create ACLs for Cloudflare’s IP ranges:

frontend http_front
  bind *:80
  acl cloudflare_ips src -f /etc/haproxy/cloudflare_ips.lst
  http-request allow if cloudflare_ips
  http-request deny if !cloudflare_ips

In the example above, ‘/etc/haproxy/cloudflare_ips.lst’ is a file that contains all the Cloudflare IP ranges, one per line.

HAProxy and Fail2Ban

Fail2Ban can be used to monitor HAProxy logs for suspicious activity

  1. Install Fail2Ban, if it’s not already installed.

  2. Create a new filter for HAProxy. Create a new file at /etc/fail2ban/filter.d/haproxy-http-auth.conf with the following content:

    [Definition]
failregex = ^.*haproxy.*:.* <HOST>:.* "GET / HTTP.*" 401.*$

  3. Create a new jail in the /etc/fail2ban/jail.local file:

    [haproxy-http-auth]
enabled = true
filter = haproxy-http-auth
logpath = /var/log/haproxy.log
maxretry = 3
bantime = 3600
port = http,https

  4. Restart Fail2Ban to apply the new configuration.

Fail2Ban should now monitor your HAProxy logs and block IPs that repeatedly fail authentication.

Adjusting Timeouts

Setting appropriate timeout values when attacks occur is a crucial part of server configuration. Timeouts help to prevent your server from wasting resources on slow or stalled connections.

There are several directives related to timeout settings:

    timeout client 5s
    timeout http-request 5s
    timeout http-keep-alive 5s
    timeout server 5s
  • timeout client: Similar to client_header_timeout in NGINX, it sets the maximum inactivity time on the client side.
  • timeout http-request: Maximum allowed time to wait for a complete HTTP request.
  • timeout http-keep-alive: Maximum allowed time to wait for a new HTTP request to appear.
  • timeout server: Similar to send_timeout in NGINX, it sets the maximum inactivity time on the server side.

Buy Me a Coffee