Client Haproxy as Infrastructure Proxy
CODE
global
log 127.0.0.1 len 65535 local0 debug
daemon
user ver_haproxy
group veridiumid
maxconn 100000
nbthread 4
maxsslconn 100000
tune.ssl.cachesize 100000
tune.ssl.lifetime 86400
tune.ssl.maxrecord 1400
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AES256:ECDHE+RSA+AES256+GCM+SHA384:!aNULL:!MD5:!DSS:!3DES
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AES256:ECDHE+RSA+AES256+GCM+SHA384:!aNULL:!MD5:!DSS:!3DES
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11
defaults
log global
mode http
option dontlognull
option forwardfor except 127.0.0.1
timeout connect 60000
timeout client 60000
timeout server 60000
unique-id-format %[uuid()]
unique-id-header x-correlation-id
#############################################################################################################################
# health check --------------------------------------------------------------------------------------------------------------
#############################################################################################################################
listen health_check
bind *:8888
mode http
monitor-uri /health
option dontlognull
#############################################################################################################################
# https frontend ------------------------------------------------------------------------------------------------------------
#############################################################################################################################
frontend https-frontend
mode http
bind :443 ssl crt /opt/veridiumid/haproxy/conf/server.pem ca-file /opt/veridiumid/haproxy/conf/client-ca.pem verify optional
#------------------------------------------------------------------------------------------------------------------------
# log section
#------------------------------------------------------------------------------------------------------------------------
unique-id-format %[uuid()]
unique-id-header X-Unique-ID
log-format "%ci:%cp\ [%t]\ %ft\ %b/%s\ %Th/%Ti/%TR/%Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ UUID:\ %[var(txn.coraza.id)]\ spoa-error:\ %[var(txn.coraza.error)]\ waf-hit:\ %[var(txn.coraza.status)]"
#------------------------------------------------------------------------------------------------------------------------
# acl section
#------------------------------------------------------------------------------------------------------------------------
# acl doamin
acl is_id_CLIENT_de hdr(host) -i developora.veridium-dev.com
# acl path
acl is_websec path_beg -i /websec
acl is_dmzwebsec path_beg -i /dmzwebsec
acl is_idp path_beg -i /idp
acl is_ssp path_beg -i /ssp
#------------------------------------------------------------------------------------------------------------------------
# redirect http to https section
#------------------------------------------------------------------------------------------------------------------------
redirect scheme https code 301 if !{ ssl_fc } # redirect 80 -> 443
#------------------------------------------------------------------------------------------------------------------------
# use_backend section
#------------------------------------------------------------------------------------------------------------------------
use_backend bk_id_CLIENT_de_websec if is_id_CLIENT_de is_websec
use_backend bk_id_CLIENT_de_dmzwebsec if is_id_CLIENT_de is_dmzwebsec
use_backend bk_id_CLIENT_de_idp if is_id_CLIENT_de is_idp
use_backend bk_id_CLIENT_de_ssp if is_id_CLIENT_de is_ssp
# Der Rest (Angriffe, Scans, etc.) landet im Tarpit. (403)
default_backend tarpit
#############################################################################################################################
# Back-end website section --------------------------------------------------------------------------------------------------
#############################################################################################################################
backend bk_id_CLIENT_de_websec
mode http
balance roundrobin
option tcp-check
tcp-check connect port 443
# option log-health-checks
# http-response add-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
# http-response set-header Cache-Control "no-cache, no-store, max-age=0, must-revalidate"
http-request set-header x-ssl-termination-proxy-secret <Proxy Secret must be recovered from Veridium Haproxy.cfg file>
http-request set-header X-Forwarded-Proto https
http-request set-header X-Client-IP %[src]
# acl has_cookie cook(AL_ENV_SSL_CLIENT_S_DN) -m found
# capture cookie AL_ENV_SSL_CLIENT_S_DN len 256
# http-request set-header X-SSL-Client-DN %[req.cook(AL_ENV_SSL_CLIENT_S_DN)] if has_cookie
# acl dncheck req.hdr(X-SSL-Client-DN) -m found
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
# http-response set-header X-Content-Type-Options nosniff
# http-response set-header X-XSS-Protection "1;mode=block"
# http-response set-header Content-Security-Policy "default-src 'self'"
# http-response set-header Referrer-Policy no-referrer-when-downgrade
# http-response set-header X-Frame-Options DENY
# http-response set-header Permissions-Policy "camera=(), geolocation=(), payment=(), microphone=(), usb=()"
server server-10.204.90.4 10.204.90.4:443 check ssl verify none
server server-10.204.90.5 10.204.90.5:443 check ssl verify none
server server-10.204.90.6 10.204.90.6:443 check ssl verify none
backend bk_id_CLIENT_de_dmzwebsec
mode http
balance roundrobin
option log-health-checks
# http-response add-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
# http-response set-header Cache-Control "no-cache, no-store, max-age=0, must-revalidate"
# http-request set-header x-ssl-termination-proxy-secret <Proxy Secret must be recovered from Veridium Haproxy.cfg file>
# http-request set-header X-Forwarded-Proto https
# http-request set-header X-Client-IP %[src]
# acl has_cookie cook(AL_ENV_SSL_CLIENT_S_DN) -m found
# capture cookie AL_ENV_SSL_CLIENT_S_DN len 256
# http-request set-header X-SSL-Client-DN %[req.cook(AL_ENV_SSL_CLIENT_S_DN)] if has_cookie
# acl dncheck req.hdr(X-SSL-Client-DN) -m found
# http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn] unless dncheck or has_cookie
# http-response set-header X-Content-Type-Options nosniff
# http-response set-header X-XSS-Protection "1;mode=block"
# http-response set-header Content-Security-Policy "default-src 'self'"
# http-response set-header Referrer-Policy no-referrer-when-downgrade
# http-response set-header X-Frame-Options DENY
# http-response set-header Permissions-Policy "camera=(), geolocation=(), payment=(), microphone=(), usb=()"
server server-10.204.90.4 10.204.90.4:8544 check ssl verify none
server server-10.204.90.5 10.204.90.5:8544 check ssl verify none
server server-10.204.90.6 10.204.90.6:8544 check ssl verify none
backend bk_id_CLIENT_de_idp
mode http
balance leastconn
stick match src
stick-table type ip size 200k expire 30m
stick on src
option log-health-checks
# http-response add-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
# http-response set-header Cache-Control "no-cache, no-store, max-age=0, must-revalidate"
# http-request set-header x-ssl-termination-proxy-secret <Proxy Secret must be recovered from Veridium Haproxy.cfg file>
# http-request set-header X-Forwarded-Proto https
# http-request set-header X-Client-IP %[src]
# acl has_cookie cook(AL_ENV_SSL_CLIENT_S_DN) -m found
# capture cookie AL_ENV_SSL_CLIENT_S_DN len 256
# http-request set-header X-SSL-Client-DN %[req.cook(AL_ENV_SSL_CLIENT_S_DN)] if has_cookie
# acl dncheck req.hdr(X-SSL-Client-DN) -m found
# http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn] unless dncheck or has_cookie
# http-response set-header X-Content-Type-Options nosniff
# http-response set-header X-XSS-Protection "1;mode=block"
# http-response set-header Content-Security-Policy "default-src 'self'"
# http-response set-header Referrer-Policy no-referrer-when-downgrade
# http-response set-header X-Frame-Options DENY
# http-response set-header Permissions-Policy "camera=(), geolocation=(), payment=(), microphone=(), usb=()"
server server-10.204.90.4 10.204.90.4:8944 check ssl verify none id 1
server server-10.204.90.5 10.204.90.5:8944 check ssl verify none id 2
server server-10.204.90.6 10.204.90.6:8944 check ssl verify none id 3
backend bk_id_CLIENT_de_ssp
mode http
balance roundrobin
option log-health-checks
# http-response add-header Strict-Transport-Security "max-age=31536000; includeSubDomains"
# http-response set-header Cache-Control "no-cache, no-store, max-age=0, must-revalidate"
# http-request set-header x-ssl-termination-proxy-secret <Proxy Secret must be recovered from Veridium Haproxy.cfg file>
http-request set-header X-Forwarded-Proto https
http-request set-header X-Client-IP %[src]
# acl has_cookie cook(AL_ENV_SSL_CLIENT_S_DN) -m found
# capture cookie AL_ENV_SSL_CLIENT_S_DN len 256
# http-request set-header X-SSL-Client-DN %[req.cook(AL_ENV_SSL_CLIENT_S_DN)] if has_cookie
# acl dncheck req.hdr(X-SSL-Client-DN) -m found
# http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn] unless dncheck or has_cookie
# http-response set-header Referrer-Policy no-referrer-when-downgrade
# http-response set-header X-Frame-Options DENY
# http-response set-header Permissions-Policy "camera=(), geolocation=(), payment=(), microphone=(), usb=()"
server server-10.204.90.4 10.204.90.4:9987 check ssl verify none
server server-10.204.90.5 10.204.90.5:9987 check ssl verify none
server server-10.204.90.6 10.204.90.6:9987 check ssl verify none
#############################################################################################################################
# 403 Back-end --------------------------------------------------------------------------------------------------------------
#############################################################################################################################
#403 Backend
backend tarpit
timeout tarpit 10s
http-request tarpit deny_status 403 if TRUE