How to secure HAProxy TCP stats socket? Needed for remote operation

Question

I would like to control my HAproxy remotely during deploy of applications. E.g. before stopping apps on "app-server1" I want to instruct the HA-proxy to disable the backend server "app-server1". When the application is running again, I want to issue the enable command.

With "stats socket ..." I create either a UNIX socket or a TCP socket. For remote access it has to be a TCP socket. However, this obviously opens up a vulnerability that I want to mitigate.

Can I restrict the access to the admin socket, e.g. by client IP list, SSL or other?

Due to the limited amount of information I find on this topic when searching, I wonder if there is another, recommended way of remote operation for my use case?

I do use scripting for this, but allowing SSH access for the scripts to the server where HA-proxy is running, is not an option.

Seems to me like a combination of either iptables, or stunnel would fit the bill here. What have you tried so far? — GregL, Feb 08 '17 at 12:28
Thanks GregL. Have not tried any of your suggestions. I want to keep it on an "application level" if possible, e.g. the app checks for client IP or similar. iptables or stunnel require root access, not? — Leif John, Feb 08 '17 at 12:32
I don't think there's any way to do in purely with HAProxy, since the `stats socket` keyword isn't part of a frontend/backend, so can't be controlled with ACLs. — GregL, Feb 08 '17 at 12:47
I just got an idea that seems to work - defining a proxy for the stats socket. See my answer below. — Leif John, Feb 08 '17 at 13:40

score 5 · Accepted Answer · answered Feb 08 '17 at 13:39

5

Define a backend server pointing to the stats socket on localhost. Then set the stats socket to bind on 127.0.0.1 only. Finally, add needed ACLs to the frontend definition.

The stats socket is now restricted to accept connections only from localhost, while your frontend proxy takes care of remote clients.

global
    daemon
    stats socket 127.0.0.1:1999
    ...

frontend stats-frontend
    bind *:2000
    default_backend stats-backend
    acl ...
    acl ...

backend stats-backend
    mode tcp
    server stats-localhost localhost:1999

answered Feb 08 '17 at 13:39

Leif John

181
1
6

This is actually quite a nice solution. Nice work!! – GregL Feb 08 '17 at 13:44
1

Also you should add "mode tcp" for a frontend section or you'll get an error. – warder Jan 15 '19 at 07:55

How to secure HAProxy TCP stats socket? Needed for remote operation

1 Answers1