Serving
Apr 25, 2015
I wanted to mention something I just setup at work. The just of this involves the need to support shortnames/searchdomains. This allows a user to type in “bugzilla/” in their browser instead of a FQDN i.e. “bugzilla.example.com”. Of course, the DNS search domain of “example.com” must be configured (either manually or via DHCP).
Enter hdr_beg(host)
Using HAProxy, we can actually do one of three things relating to the host header (there are more, but these are the ones we care about):
Continue reading ↦
Feb 8, 2015
As I’ve started to containerize, certain webapps of mine utilize SSL for secure communication. Hence, I usually combine everything the resulting webapp needs to serve the app using SSL, including certificates and keys.
HAProxy provides the ability to pass-through SSL via using tcp proxy mode. This is awesome, except you can forget about serving multiple domains/vhosts in this basic configuration. However, SNI to the rescue!
From the HAProxy blog, there is indeed a way for HAProxy to inspect the SSL negotiation and find the hostname, sent via the client through SNI:
Continue reading ↦
Oct 16, 2014
This new site, Cipherli.st, allows you to get configurations for the major web server and proxy software suites to ensure they are using the most secure ssl/tls cipher settings for serving out sensitive content, or anything on port 443.
The configs are copy/pastable into your web server configuration. Be sure to check there for the latest, most secure confs.
Example for nginx:
ssl_ciphers "AES256+EECDH:AES256+EDH"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; add_header X-Frame-Options DENY; ssl_stapling on; # Requires nginx >= 1.
Continue reading ↦