Note: Will be updated regularly. If something is confusing, browse to the links in the resources section.

Setup

The setup will consist of 6 nginx containers. Simulating 2 Websites with 3 Webservers each. The webservers will listen on ports 8081 through 8086. I’m using Debian as the Docker host.

HAProxy will have 2 frontends listening on port 8000 and 8100. Both backends will have 3 websites each.

Create web contents

Create some files that will help identify the webservers once they’re up and running:

$ mkdir webfiles

$ for site in `seq 1 2`; do for server in `seq 1 3`; do echo SITE$site - WEB$server > ~/webfiles/site$site\_server$server.txt ; done; done

Viewing the contents:

root@debianlab:~/webfiles# cat *
SITE1 - WEB1
SITE1 - WEB2
SITE1 - WEB3
SITE2 - WEB1
SITE2 - WEB2
SITE2 - WEB3

Deploy the Containers

Start the containers and check the status:

root@debianlab:~/webfiles# port=1; for site in `seq 1 2`; do for server in `seq 1 3`; do docker run -dt --name site$site\_server$server -p 808$(($port)):80 nginx ; port=$(($port + 1)); done; done
e157622553335125fe4485f9bc8b64e4a9bb56a0a7b72adea52cc22f4e8f491d
1eacd8526e5a3cdc8002d140c87dc17f561ab38d2da2bda2a1e20ab173830fb1
1140da95572a4e1e4bb26f3c8d395790dfc9cd37a8168cf1f41d64a14adc687d
b597aae33c2ab2f7fb03746563f6cc0762917b1d4097dbda1b7e5f0bf5878fdf
723cdf8f3947230e574606e7b6e840a1c35ab10dd40e9773355f27deccd10d50
3d30b55011f9d635ce136a435278fbb3f8e569a4ace491fa945b830165b27f55
root@debianlab:~/webfiles#
root@debianlab:~/webfiles# docker ps --format '{{.Names}}\t{{.Ports}}\t{{.Status}}'
site2_server3   0.0.0.0:8086->80/tcp, :::8086->80/tcp   Up 5 minutes
site2_server2   0.0.0.0:8085->80/tcp, :::8085->80/tcp   Up 5 minutes
site2_server1   0.0.0.0:8084->80/tcp, :::8084->80/tcp   Up 5 minutes
site1_server3   0.0.0.0:8083->80/tcp, :::8083->80/tcp   Up 5 minutes
site1_server2   0.0.0.0:8082->80/tcp, :::8082->80/tcp   Up 5 minutes
site1_server1   0.0.0.0:8081->80/tcp, :::8081->80/tcp   Up 5 minutes

Copy the test files inside the containers:

root@debianlab:~/webfiles# for site in `seq 1 2`; do for server in `seq 1 3`; do docker cp ~/webfiles/site$site\_server$server.txt site$site\_server$server:/usr/share/nginx/html/test.txt; done; done

All webservers have a unique test.txt file in /usr/share/nginx/html/. Let’s view it:

root@debianlab:~/webfiles# port=1; for site in `seq 1 2`; do for server in `seq 1 3`; do curl -s http://localhost:808$port/test.txt; port=$(($port + 1)); done; done
SITE1 - WEB1
SITE1 - WEB2
SITE1 - WEB3
SITE2 - WEB1
SITE2 - WEB2
SITE2 - WEB3

Looks good.

Configure and Start HAProxy

On RHEL based Distros, you need to allow the haproxy_connect_any policy:

[root@rockylab ~]# semanage boolean --list | grep -i haproxy
haproxy_connect_any            (off  ,  off)  Allow haproxy to connect any
[root@rockylab ~]#
[root@rockylab ~]# setsebool -P haproxy_connect_any 1
[root@rockylab ~]#
[root@rockylab ~]# semanage boolean --list | grep -i haproxy
haproxy_connect_any            (on   ,   on)  Allow haproxy to connect any

Modify /etc/haproxy/haproxy.cfg:

## Docker Simulation Frontend
frontend site1
    bind *:8000
    default_backend site1

frontend site2
    bind *:8100
    default_backend site2

## Docker Simulation Backend 1
backend site1
    balance    roundrobin
    server site1-web1 127.0.0.1:8081 check
    server site1-web2 127.0.0.1:8082 check
    server site1-web3 127.0.0.1:8083 check

## Docker Simulation Backend 2
backend site2
    balance roundrobin
    server site2-web1 127.0.0.1:8084 check
    server site2-web2 127.0.0.1:8085 check
    server site2-web3 127.0.0.1:8086 check

## Stats Page
listen stats
    bind *:8050
    stats enable
    stats uri /
    stats hide-version

Once done, start or restart HAProxy:

systemctl enable --now haproxy

Test the webservers:

root@debianlab:~# for site in `seq 1 3`; do curl http://localhost:8000/test.txt; done
SITE1 - WEB1
SITE1 - WEB2
SITE1 - WEB3
root@debianlab:~# for site in `seq 1 3`; do curl http://localhost:8100/test.txt; done
SITE2 - WEB1
SITE2 - WEB2
SITE2 - WEB3

MacBook-Pro:~ kavish$ for site in `seq 1 3`; do curl http://192.168.100.131:8000/test.txt; done
SITE1 - WEB1
SITE1 - WEB2
SITE1 - WEB3
MacBook-Pro:~ kavish$ for site in `seq 1 3`; do curl http://192.168.100.131:8100/test.txt; done
SITE2 - WEB1
SITE2 - WEB2
SITE2 - WEB3 

Works as expected.

Scripts

  • create_containers.sh:
#!/bin/bash

echo "Creating containers..."

port=1; for site in `seq 1 2`; do for server in `seq 1 3`; do docker run -dt --name site$site\_server$server -p 808$(($port)):80 nginx ; port=$(($port + 1)); done; done

sleep 2

echo "Copying Webfiles..."

for site in `seq 1 2`; do for server in `seq 1 3`; do docker cp ~/webfiles/site$site\_server$server.txt site$site\_server$server:/usr/share/nginx/html/test.txt; done; done

sleep 2

docker ps
  • stop_containers.sh:
#!/bin/bash
echo -e "Stopping Containers...\n"
docker stop site{1..2}\_server{1..3}

echo " "
docker ps
  • start_containers.sh
#!/bin/bash

docker start site{1..2}\_server{1..3}
  • stop_remove_containers.sh:
#!/bin/bash
docker stop site{1..2}\_server{1..3}

docker rm site{1..2}\_server{1..3}

HTTP Rewrites

Scenario: Management has told us that we need to clean all the nonessential files from the root of our sites. We have a file that needs to be moved, but we need to be able to continue to support requests for it in its current location.

Moving the testfiles

I’m going to create a new subfolder called textfiles in /usr/share/nginx/html/:

root@debianlab:~/webfiles/scripts# for site in `seq 1 2`; do for server in `seq 1 3`; do docker exec site$site\_server$server mkdir -v /usr/share/nginx/html/textfiles; done; done
mkdir: created directory '/usr/share/nginx/html/textfiles'
mkdir: created directory '/usr/share/nginx/html/textfiles'
mkdir: created directory '/usr/share/nginx/html/textfiles'
mkdir: created directory '/usr/share/nginx/html/textfiles'
mkdir: created directory '/usr/share/nginx/html/textfiles'
mkdir: created directory '/usr/share/nginx/html/textfiles'

Now I’ll move the test.txt file inside /usr/share/nginx/html/textfiles/:

root@debianlab:~# for site in `seq 1 2`; do for server in `seq 1 3`; do docker exec site$site\_server$server mv -v /usr/share/nginx/html/test.txt /usr/share/nginx/html/textfiles; done; done
renamed '/usr/share/nginx/html/test.txt' -> '/usr/share/nginx/html/textfiles/test.txt'
renamed '/usr/share/nginx/html/test.txt' -> '/usr/share/nginx/html/textfiles/test.txt'
renamed '/usr/share/nginx/html/test.txt' -> '/usr/share/nginx/html/textfiles/test.txt'
renamed '/usr/share/nginx/html/test.txt' -> '/usr/share/nginx/html/textfiles/test.txt'
renamed '/usr/share/nginx/html/test.txt' -> '/usr/share/nginx/html/textfiles/test.txt'
renamed '/usr/share/nginx/html/test.txt' -> '/usr/share/nginx/html/textfiles/test.txt'

Get a shell inside a container to verify:

root@debianlab:~# docker exec -it site1_server2 /bin/bash
root@ca9925191a0f:/#
root@ca9925191a0f:/# ls -l /usr/share/nginx/html/textfiles/
total 4
-rw-r--r-- 1 root root 13 Feb  6 05:30 test.txt
root@ca9925191a0f:/# exit
exit

Browse to the original location:

root@debianlab:~# curl -s -o /dev/null -w %"{http_code}" localhost:8100/text.txt;echo
404
root@debianlab:~#
root@debianlab:~# curl -s -o /dev/null -w %"{http_code}" localhost:8000/text.txt;echo
404

Rewrite an HTTP Request

In both frontends, add the following rules:

acl p_ext_txt path_end -i .txt
acl p_folder_textfiles path_beg -i /textfiles/
http-request set-path /textfiles/%[path] if !p_folder_textfiles p_ext_txt

Like so:

## Docker Simulation Frontend
frontend site1
    bind *:8000
    default_backend site1
    acl p_ext_txt path_end -i .txt
    acl p_folder_textfiles path_beg -i /textfiles/
    http-request set-path /textfiles/%[path] if !p_folder_textfiles p_ext_txt

frontend site2
    bind *:8100
    default_backend site2
    acl p_ext_txt path_end -i .txt
    acl p_folder_textfiles path_beg -i /textfiles/
    http-request set-path /textfiles/%[path] if !p_folder_textfiles p_ext_txt

Two ACLS were set:

  • p_ext_txt - path that ends with the .txt extension
  • p_folder_textfiles - path begins with /textfiles/

http-request will rewrite the request only if the path doesn’t begin with /textfiles/ and the path ends with a .txt file.

Test HAProxy Configuration:

root@debianlab:~# haproxy -f /etc/haproxy/haproxy.cfg -c
Configuration file is valid

Reload HAProxy:

root@debianlab:~# systemctl reload haproxy

Check the original and new location of text.txt:

root@debianlab:~# curl -s http://localhost:8000/test.txt
SITE1 - WEB1
root@debianlab:~# curl -s http://localhost:8100/test.txt
SITE2 - WEB1
root@debianlab:~#
root@debianlab:~# curl -s http://localhost:8000/textfiles/test.txt
SITE1 - WEB2
root@debianlab:~# curl -s http://localhost:8100/textfiles/test.txt
SITE2 - WEB2
root@debianlab:~#

Now its available in both locations.

Resources

https://www.haproxy.com/blog/testing-your-haproxy-configuration/ https://www.haproxy.com/blog/introduction-to-haproxy-acls/ https://www.haproxy.com/documentation/hapee/latest/traffic-routing/rewrites/rewrite-requests/

Domain Mapping based on Host Header

First, let’s add both site-1 and site-2 in /etc/hosts:

## HAProxy Start
127.0.0.1 www.site-1.com site-1.com
127.0.0.1 www.site-2.com site-2.com
## HAProxy End

Next, let’s make some changes in /etc/haproxy/haproxy.cfg:

frontend site1-site2
    bind *:80
    mode http

    acl p_ext_txt path_end -i .txt
    acl p_folder_textfiles path_beg -i /textfiles/
    http-request set-path /textfiles/%[path] if !p_folder_textfiles p_ext_txt

    acl site-1 hdr(host) -i site-1.com www.site-1.com
    acl site-2 hdr(host) -i site-2.com www.site-2.com
    use_backend site1 if site-1
    use_backend site2 if site-2

Both frontends were replaced with the above content. We’re now listening on port 80. Traffic will be redirected to the requested backend based on the HTTP host Header.

Reload HAProxy and access both backends via domain name:

root@debianlab:~# for i in `seq 1 6`; do curl -s http://www.site-1.com/test.txt; done
SITE1 - WEB1
SITE1 - WEB2
SITE1 - WEB3
SITE1 - WEB1
SITE1 - WEB2
SITE1 - WEB3
root@debianlab:~# for i in `seq 1 6`; do curl -s http://www.site-2.com/test.txt; done
SITE2 - WEB1
SITE2 - WEB2
SITE2 - WEB3
SITE2 - WEB1
SITE2 - WEB2
SITE2 - WEB3

Resources

https://www.haproxy.com/blog/how-to-map-domain-names-to-backend-server-pools-with-haproxy/

TLS/SSL Termination

With TLS/SSL termination, traffic between HAProxy and the clients will be encrypted and communication between HAProxy and the backend servers will be over HTTP.

Create the certificate with mkcert:

root@debianlab:/etc/haproxy# mkdir certs
root@debianlab:/etc/haproxy# cd certs/
root@debianlab:/etc/haproxy/certs# mkcert localhost

Created a new certificate valid for the following names 📜
 - "localhost"

The certificate is at "./localhost.pem" and the key at "./localhost-key.pem" ✅

It will expire on 12 May 2024 🗓

root@debianlab:/etc/haproxy/certs# ls -l
total 8
-rw------- 1 root root 1704 Feb 12 10:49 localhost-key.pem
-rw-r--r-- 1 root root 1452 Feb 12 10:49 localhost.pem
root@debianlab:/etc/haproxy/certs#
root@debianlab:/etc/haproxy/certs# cat localhost-key.pem localhost.pem > localhost-haproxy.pem
root@debianlab:/etc/haproxy/certs# rm -f localhost-key.pem localhost.pem
root@debianlab:/etc/haproxy/certs# chmod 640 localhost-haproxy.pem
root@debianlab:/etc/haproxy/certs# ls -l
total 4
-rw-r----- 1 root root 3156 Feb 12 10:50 localhost-haproxy.pem
root@debianlab:/etc/haproxy/certs#

If you want to use openssl instead of mkcert, you can use this.

Make the following change in the frontend of /etc/haproxy/haproxy.cfg:

frontend site1-site2
    bind *:443 ssl crt /etc/haproxy/certs/localhost-haproxy.pem force-tlsv13
    mode http

    acl p_ext_txt path_end -i .txt
    acl p_folder_textfiles path_beg -i /textfiles/
    http-request set-path /textfiles/%[path] if !p_folder_textfiles p_ext_txt

    acl site-1 hdr(host) -i site-1.com www.site-1.com
    acl site-2 hdr(host) -i site-2.com www.site-2.com
    use_backend site1 if site-1
    use_backend site2 if site-2

Now HAProxy will only listen on port 443. Make sure you specified the correct path for the certificate. Reload HAProxy and test the configuration:

root@debianlab:~# curl -k site-1.com
curl: (7) Failed to connect to site-1.com port 80: Connection refused
root@debianlab:~# curl -k site-2.com
curl: (7) Failed to connect to site-2.com port 80: Connection refused
root@debianlab:~#
root@debianlab:~# curl -k https://site-1.com/test.txt
SITE1 - WEB1
root@debianlab:~#
root@debianlab:~# curl -k https://site-2.com/test.txt
SITE2 - WEB1
root@debianlab:~#

Connection is refused on port 80. HTTPS is working. This is what we wanted.

Accept HTTP Traffic and Redirect it to HTTPS

To achieve this, HAProxy needs to listen on port 80 and the redirect the traffic over HTTPS. Make the two following changes(bind on port 80 and redirect scheme):

frontend site1-site2
    mode http
    bind *:80
    bind *:443 ssl crt /etc/haproxy/certs/localhost-haproxy.pem force-tlsv13
    http-request redirect scheme https unless { ssl_fc }

    acl p_ext_txt path_end -i .txt
    acl p_folder_textfiles path_beg -i /textfiles/
    http-request set-path /textfiles/%[path] if !p_folder_textfiles p_ext_txt

    acl site-1 hdr(host) -i site-1.com www.site-1.com
    acl site-2 hdr(host) -i site-2.com www.site-2.com
    use_backend site1 if site-1
    use_backend site2 if site-2

Note: Spaces between curly braces and ssl_fc is mandatory.

Reload HAProxy and test both HTTP and HTTPS connections:

root@debianlab:~# curl -kL http://www.site-1.com/test.txt
SITE1 - WEB1
root@debianlab:~# curl -kL http://www.site-2.com/test.txt
SITE2 - WEB1
root@debianlab:~#
root@debianlab:~# curl -k https://www.site-1.com/test.txt
SITE1 - WEB2
root@debianlab:~# curl -k https://www.site-2.com/test.txt
SITE2 - WEB2
root@debianlab:~#

Everything works fine. If a client is using HTTP, the request will be redirected over HTTPS.

Protect HTTP

HAProxy can protect HTTP servers against attacks. It gives us the ability to set dynamic defence mechanisms to stop or denied bad requests before they reached our backends. Two most common attacks are HTTP Flood and [Slowloris](https://en.wikipedia.org/wiki/Slowloris_(computer_security).

Brief Intro of Stick Tables

In HAProxy there’a an in-memory key-value storage called a Stick Table. It’s used to keep track of data such as IP Addresses, Request-Rate(HTTP and TCP), and so on.

A Sticky Table can also be viewed as a backend because it doesn’t just keep track by default. We have to tell the frontend to use it first, hence send the data we want to keep track of.

It can be defined in a frontend/backend or a dedicated frontend/backend. Here’s an example of dedicated backend called keep_track:

backend keep_track
    stick-table type ip size 1m expire 5m store http_req_rate(5m)

stick-table: Creating a stick table type: Type of data we’ll be keeping track of. In this case ip. size: Number of lines to be stored. 1m is one million lines. expire: Reset the table after 5 minutes. store: The value that we want to store should be specified after. In this case http request rate. http_req_rate: How many request did an IP made in the last 5 Minutes.

The stick-table will store one million IP Addresses, and how many requests an IP has made during the last 5 minutes. After 5 minutes the sticky table will reset. The IP is the key and the request rate is the value.

Now you can keep things in it by calling it in a frontend:

frontend main
    bind *:80
    http-request track-sc0 src table keep_track
    http-request deny deny_status 500 if {sc_http_req_rate(0) gt 100}

We’re telling the frontend to send the src IP Address of each request to the keep_track sticky table. That’s what we want. The sticky table was defined to track IP Addresses and Request Rates. That’s all the sticky table will do from now on. Just track specific things. Nothing else.

sc is a sticky counter]. In the frontend, we have track-sc0. This basically says, track the data inside the sticky table and put it in sc0(sticky counter 0).

We then can use sc0 to filter, and deny traffics. You can read the line sc_http_req_rate(0) gt 100 as so: In Stick Counter 0, look for http_req_rate and verify if its value is greater than 100 for the incoming IP. If true do something. In this case, we send a deny response.

Deny Based on Request Rate

Let’s add a backend called per_ip_rates to hold a stick-table:

## Per IP Rates Backend
backend per_ip_rates
    stick-table type ip size 1m expire 10m store http_req_rate(10s)
    ```

Now we can start tracking in the frontend and send a [429 Too Many Requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/429) response, if an IP has made more than 100 requests in the last 10 seconds(last two lines):

```shell
## Docker Simulation Frontend

frontend site1-site2
    mode http
    bind *:80
    bind *:443 ssl crt /etc/haproxy/certs/localhost-haproxy.pem force-tlsv13
    http-request redirect scheme https unless { ssl_fc }

    http-request track-sc0 src table per_ip_rates
    http-request deny deny_status 429 if {sc_http_req_rate(0) gt 100}

....REDACTED....

Sticky Counter can be confusing at first. As a reminder, The 0 in sc_http_req_rate(0) gt 100 is the number of the sticky counter. Inside sc0, we want http_req_rate. More than one sticky counter in a frontend can be called to track multiple sticky tables.

Deny Based on User Agent

Here we’re sending a 500 Internal Server Error response if the client’s user-agent header contains the string curl:

http-request deny deny_status 500 if { req.hdr(user-agent) -i -m sub curl }
  • -i: Insensitive Case
  • -m sub: Calling a module. In this case, the substring module.

If -m sub is omitted, it will match the exact string: curl. You can read about it here.

Deny a list of Networks or IPs

This is fairly straight forward. Send a 503 Service Unavailable response, if an IP or Network(each on a new line) is found in the file /etc/haproxy/blocked.acl:

http-request deny deny_status 503 if { src -f /etc/haproxy/blocked.acl }

I’m gonna block an IP on my network:

root@debianlab:~# echo "192.168.100.117" > /etc/haproxy/blocked.acl
root@debianlab:~# cat !$
cat /etc/haproxy/blocked.acl
192.168.100.117

Verify the config file and restart HAProxy:

root@debianlab:~# haproxy -f /etc/haproxy/haproxy.cfg -c && systemctl restart haproxy
Configuration file is valid

Testing Request Rate

Let’s generate 3 requests on site1 and view the stats(I allowed curl just for this example):

MacBook-Pro:~ kavish$ curl -kL https://www.site-1.com/test.txt
SITE1 - WEB1
MacBook-Pro:~ kavish$ curl -kL https://www.site-1.com/test.txt
SITE1 - WEB2
MacBook-Pro:~ kavish$ curl -kL https://www.site-1.com/test.txt
SITE1 - WEB3
MacBook-Pro:~ kavish$

---- HAPROXY RUNTIME API  ----

Every 2.0s: echo "show stat" | nc -U /var/run/haproxy/admin....  debianlab: Mon Feb 21 11:31:29 2022

# pxname      svname      scur  smax  slim    stot  bin  bout  rate  rate_lim  rate_max
site1-site2   FRONTEND    0     1     262120  6     282  1239  0     0         1
per_ip_rates  BACKEND     0     0     1       0     0    0     0               0
site1         site1-web1  0     1             1     94   217   0               1
site1         site1-web2  0     1             1     94   217   0               1
site1         site1-web3  0     1             1     94   217   0               1
site1         BACKEND     0     1     26212   3     282  651   0               1
site2         site2-web1  0     0             0     0    0     0               0
site2         site2-web2  0     0             0     0    0     0               0
site2         site2-web3  0     0             0     0    0     0               0
site2         BACKEND     0     0     26212   0     0    0     0               0
stats         FRONTEND    0     0     262120  0     0    0     0     0         0
stats         BACKEND     0     0     26212   0     0    0     0               0

As you can see, each site[1,2,3] has a rate of 1.

Now Let’s generate a lot of traffics with vegeta to test the HTTP Request Rates(I restarted HAProxy to reset the stats):

MacBook-Pro:~ kavish$ echo "GET http://www.site-1.com" | vegeta attack -duration=20s -max-workers 100 > /dev/null

Viewing the stats on the HAProxy host(execute the first line in your terminal):

Every 2.0s: echo "show stat" | nc -U /var/run/haproxy/admin....  debianlab: Mon Feb 21 11:48:04 2022

# pxname      svname      scur  smax  slim    stot  bin     bout    rate  rate_lim  rate_max
site1-site2   FRONTEND    0     96    262121  47    117890  109000  0     0         29
per_ip_rates  BACKEND     0     0     1       0     0       0       0               0
site1         site1-web1  0     0             0     0       0       0               0
site1         site1-web2  0     0             0     0       0       0               0
site1         site1-web3  0     0             0     0       0       0               0
site1         BACKEND     0     0     26213   0     0       0       0               0
site2         site2-web1  0     0             0     0       0       0               0
site2         site2-web2  0     0             0     0       0       0               0
site2         site2-web3  0     0             0     0       0       0               0
site2         BACKEND     0     0     26213   0     0       0       0               0
stats         FRONTEND    0     0     262121  0     0       0       0     0         0
stats         BACKEND     0     0     26213   0     0       0       0               0

Nothing has reached the backend.

Testing Curl

Test with curl:

MacBook-Pro:~ kavish$ curl -kL https://www.site-1.com/test.txt
<html><body><h1>500 Internal Server Error</h1>
An internal server error occurred.
</body></html>

Works as expected.

Testing Blocked IP

For blocked IP:

MacBook-Pro:~ kavish$ wget --no-check-certificate -O - www.site-1.com/test.txt -Sq
  HTTP/1.1 302 Found
  content-length: 0
  location: https://www.site-1.com/test.txt
  cache-control: no-cache
  HTTP/1.0 503 Service Unavailable
  cache-control: no-cache
  content-type: text/html

Service unavailable as expected.

Resources

https://www.haproxy.com/blog/application-layer-ddos-attack-protection-with-haproxy/ https://www.haproxy.com/blog/introduction-to-haproxy-acls/ https://www.haproxy.com/blog/introduction-to-haproxy-maps/ https://www.haproxy.com/blog/introduction-to-haproxy-stick-tables/ https://www.haproxy.com/blog/use-haproxy-response-policies-to-stop-threats/ https://www.haproxy.com/blog/dynamic-configuration-haproxy-runtime-api/ https://stackoverflow.com/questions/25267372/correct-way-to-detach-from-a-container-without-stopping-it

Protect SSH

HAProxy can handle SSH connections in TCP mode. You can’t prevent all types of cyberattack with HAProxy, but a lot of restrictions can be implemented.

Setup Container

Pull the image:

docker pull linuxserver/openssh-server

Creating a container called dockerssh:

root@debianlab:~# docker run -d --name dockerssh -e PUID=1000 -e PGID=1000 -e PASSWORD_ACCESS=true -e USER_PASSWORD=dockerssh -e USER_NAME=sshclient -p 2223:2222 linuxserver/openssh-server
4e6bffc0ad9496b4bdf623dd211a3f5f8244c66c57ad3bd3a389175c227e26e0
root@debianlab:~#
root@debianlab:~# ss -ntpl4 | grep 2223
LISTEN 0      4096         0.0.0.0:2223      0.0.0.0:*    users:(("docker-proxy",pid=3586,fd=4))
root@debianlab:~#
root@debianlab:~# docker ps --format '{{.Names}}\t{{.Ports}}\t{{.Status}}' | grep ssh
dockerssh   0.0.0.0:2223->2222/tcp, :::2223->2222/tcp   Up 32 seconds

Username is sshclient and password is dockerssh.

Let’s get access on the server and see if everythings works:

root@debianlab:~# ssh sshclient@localhost -p 2223
The authenticity of host '[localhost]:2223 ([::1]:2223)' can't be established.
ECDSA key fingerprint is SHA256:GrgntWa82J+blR0DskdOnXlSmJTWiW0u1vBsyF2RQJo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[localhost]:2223' (ECDSA) to the list of known hosts.
sshclient@localhost's password:
Welcome to OpenSSH Server

4e6bffc0ad94:~$
4e6bffc0ad94:~$ whoami
sshclient
4e6bffc0ad94:~$ echo $HOME
/config
4e6bffc0ad94:~$
4e6bffc0ad94:~$ ls /config
custom-cont-init.d  custom-services.d  logs  ssh_host_keys  sshd.pid
4e6bffc0ad94:~$

Looks good. Let’s try sending a file over scp and view its content over ssh:

root@debianlab:~/dockerssh# cat ssh-test.txt
DOCKER SSH
root@debianlab:~/dockerssh#
root@debianlab:~/dockerssh# scp -P 2223 ./ssh-test.txt sshclient@localhost:~/
sshclient@localhost's password:
ssh-test.txt                                                      100%   11     4.3KB/s   00:00
root@debianlab:~/dockerssh#
root@debianlab:~/dockerssh#
root@debianlab:~/dockerssh# ssh sshclient@localhost -p 2223 'cat /config/ssh-test.txt'
sshclient@localhost's password:
DOCKER SSH
root@debianlab:~/dockerssh#

Basic Front/Backend to check Connectivity

Simple setup:

# Dockerssh Frontend
frontend dockerssh
    bind *:2222
    mode tcp
    option tcplog
    default_backend dockersshd

# Dockersshd Backend
backend dockersshd
    mode tcp
    server sshd-server1 127.0.0.1:2223 check

Restart HAProxy, and test the connection by pulling the ssh-test.txt on our docker host:

root@debianlab:~/dockerssh# scp -P 2222 sshclient@localhost:/config/ssh-test.txt from_docker_ssh.txt
The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
ECDSA key fingerprint is SHA256:GrgntWa82J+blR0DskdOnXlSmJTWiW0u1vBsyF2RQJo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
sshclient@localhost's password:
ssh-test.txt                                                      100%   11     2.0KB/s   00:00
root@debianlab:~/dockerssh#
root@debianlab:~/dockerssh# cat from_docker_ssh.txt
DOCKER SSH
root@debianlab:~/dockerssh#

Limit Connections Per client and Concurrent Sessions

Traffic is moving on the SSH server:

Every 2.0s: echo "show stat" | nc -U /var/run/haproxy/admin....  debianlab: Tue Feb 22 18:12:12 2022

# pxname      svname        scur  smax  slim    stot  bin     bout    rate  rate_lim  rate_max
dockerssh     FRONTEND      0     19    262120  409   643568  640716  0     0         10
dockersshd    sshd-server1  0     19            409   643568  640716  0               10
dockersshd    BACKEND       0     19    26212   409   643568  640716  0               10
site1-site2   FRONTEND      0     0     262120  0     0       0       0     0         0
per_ip_rates  BACKEND       0     0     1       0     0       0       0               0
site1         site1-web1    0     0             0     0       0       0               0
site1         site1-web2    0     0             0     0       0       0               0
site1         site1-web3    0     0             0     0       0       0               0
site1         BACKEND       0     0     26212   0     0       0       0               0
site2         site2-web1    0     0             0     0       0       0               0
site2         site2-web2    0     0             0     0       0       0               0
site2         site2-web3    0     0             0     0       0       0               0
site2         BACKEND       0     0     26212   0     0       0       0               0
stats         FRONTEND      0     0     262120  0     0       0       0     0         0
stats         BACKEND       0     0     26212   0     0       0       0               0

I’m gonna create a new backend to hold a stick-table to track connections:

# Dockerssh Frontend
frontend dockerssh
    bind *:2222
    mode tcp
    option tcplog
    timeout client 1m
    tcp-request content track-sc0 src table ssh_per_ip_connections
    tcp-request content reject if { sc_conn_cur(0) gt 2 } || { sc_conn_rate(0) gt 10 }
    default_backend dockersshd

# Dockersshd Backend
backend dockersshd
    mode tcp
    server sshd-server1 127.0.0.1:2223 check

# Backend ssh_per_ip_connections
backend ssh_per_ip_connections
    stick-table type ip size 1m expire 1m store conn_cur,conn_rate(1m)

Running tests

Opening 1000 Connections:

root@debianlab:~/dockerssh# for conn in `seq 1 1000`; do bash -c 'scp -P 2222 sshclient@localhost:/config/ssh-test.txt . &'; done
kex_exchange_identification: Connection closed by remote host
Connection closed by 127.0.0.1 port 2222
kex_exchange_identification: Connection closed by remote host
Connection closed by 127.0.0.1 port 2222
kex_exchange_identification: Connection closed by remote host
Connection closed by 127.0.0.1 port 2222
kex_exchange_identification: Connection closed by remote host
Connection closed by 127.0.0.1 port 2222

---REDACTED---

Do make sure to copy your public key on the ssh server, or else you won’t see the message Connection closed by remote host.

The stats:

Every 2.0s: echo "show stat" | nc -U /var/run/haproxy/admin.so...  debianlab: Tue Feb 22 19:10:50 2022

dockerssh               FRONTEND      0     4     262120  1000  11504  10767   0     0         30
dockersshd              sshd-server1  0     2             3     11376  10767   0               2
dockersshd              BACKEND       0     2     26212   3     11376  10767   0               2
ssh_per_ip_connections  BACKEND       0     0     1       0     0      0       0               0

1000 connections reached the frontend. If you look on the stats page on port 8050, you should see that over 900 connections were denied on the frontend. I don’t know how to look for denied request via the runtime API. If I ever get the chance to look it up, I’ll update the post.

Resources

https://www.haproxy.com/blog/route-ssh-connections-with-haproxy/

Health Checks

https://www.haproxy.com/blog/how-to-enable-health-checks-in-haproxy/ https://www.haproxy.com/blog/webinar-haproxy-skills-lab-health-checking-servers/

Varnish and Haproxy

https://www.haproxy.com/blog/haproxy-varnish-and-the-single-hostname-website/