Serving


Redirection in HAProxy

I wanted to mention something I just setup at work. The just of this involves the need to support shortnames/searchdomains. This allows a user to type in “bugzilla/” in their browser instead of a FQDN i.e. “bugzilla.example.com”. Of course, the DNS search domain of “example.com” must be configured (either manually or via DHCP). Enter hdr_beg(host) Using HAProxy, we can actually do one of three things relating to the host header (there are more, but these are the ones we care about):

Continue reading ↦

Pass-through SSL with HAProxy

As I’ve started to containerize, certain webapps of mine utilize SSL for secure communication. Hence, I usually combine everything the resulting webapp needs to serve the app using SSL, including certificates and keys. HAProxy provides the ability to pass-through SSL via using tcp proxy mode. This is awesome, except you can forget about serving multiple domains/vhosts in this basic configuration. However, SNI to the rescue! From the HAProxy blog, there is indeed a way for HAProxy to inspect the SSL negotiation and find the hostname, sent via the client through SNI:

Continue reading ↦

Ensuring your website is secure: Using strong ciphers

This new site, Cipherli.st, allows you to get configurations for the major web server and proxy software suites to ensure they are using the most secure ssl/tls cipher settings for serving out sensitive content, or anything on port 443. The configs are copy/pastable into your web server configuration. Be sure to check there for the latest, most secure confs. Example for nginx: ssl_ciphers "AES256+EECDH:AES256+EDH"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; add_header X-Frame-Options DENY; ssl_stapling on; # Requires nginx >= 1.

Continue reading ↦