Hardening HAProxy For An A+ Rating

haproxyAplus

Recently we upgraded an external facing proxy server at work from Ubuntu 12.04 + Apache to Ubuntu 14.04 + HAProxy.  Because of the number of services that this proxy handles and the need for it to be secure, we needed to configure it to work with a maximum number of devices and get at least an A rating on ssllabs.com.

First things first, we need to get the latest and greatest HAProxy version.  By default, Trusty Tahr comes with HAProxy 1.4.24.  Unfortunately SSL support wasn’t added until the 1.5 series.  There is a version of 1.5 in the Trusty Backports repository, however it’s 1.5.4 and missing some SSL options.  Fortunately there is a PPA available with the latest (1.5.14 as of this writing) that can be found here.  Before proceeding, ensure you have an up-to-date server.

    $ sudo apt-get update
    $ sudo apt-get dist-upgrade

Add the PPA and install HAProxy

    $ sudo apt-add-repository ppa:vbernat/haproxy-1.5
    $ sudo apt-get update
    $ sudo apt-get install haproxy

Here is the relevant configuration for creating an A+ rating:

    global
      ssl-default-bind-options no-sslv3 no-tls-tickets
      ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    frontend https-in
      http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
      http-response set-header X-Frame-Options DENY
      http-response set-header X-Content-Type-Options nosniff

      bind *:443 ssl crt /path/to/your/cert.pem

That’s it!  Note that this config will not work on IE6/8+XP, nor Java 6/7.  If you have any of those requirements, you may need to open up the bind ciphers a little bit.

Don’t forget to test your server once you save and reload!

Note: Updated on 2015/Jul/23 with recommendation from HAProxy to use http-response instead of rspadd.