HAProxy Stats over HTTPS only


#1

hi,

Absolutely new to HAProxy and I am trying to get the HAProxy stats over https. As a matter of fact I want HAProxy stats to be accessible ‘only’ over https. Can anyone give me some pointers? The current config is shown below and works well on port 8888 but I need it over SSL. I have created the .pem certificate too

listen mariadb_cluster_writes 0.0.0.0:12206
## A failover pool for writes to ensure writes only hit one node at a time. 
        mode tcp
        option httpchk 
        server node_1 192.168.xxx.xxx:3306 check port 9200
        server node_2 192.168.xxx.xxx:3306 check port 9200 backup 
        server node_3 192.168.xxx.xxx:3306 check port 9200 backup

listen mariadb_cluster_reads 0.0.0.0:12208
## A load-balanced pool for reads to utilize all nodes for reads.
        mode tcp
        balance leastconn 
        option httpchk
	server node_1 192.168.xxx.xxx:3306 check port 9200
        server node_2 192.168.xxx.xxx:3306 check port 9200
        server node_3 192.168.xxx.xxx:3306 check port 9200

listen stats 0.0.0.0:8888
## HAProxy stats web gui.
	mode http
	stats enable
	stats hide-version
	stats uri /haproxy_stats
	stats realm HAProxy\ Statistics 
	stats auth haproxy:haproxy
	stats admin if TRUE

Thanks,
R.W


#2

Don’t specify the listening socket on the listen line, but use a dedicated bind statement. Then you can enable all SSL options you like.

listen stats
	bind 0.0.0.0:8888 ssl crt /bla/ble/cert.pem
	mode http
	stats enable

#3

thanks @lukastribus, let me give that a try


#4

hi, it works but that brings me to another little question - how do I enable HSTS in HAProxy 1.5? My haproxy.cfg goes like this

listen stats
## HAProxy stats web gui.
	bind 0.0.0.0:443 ssl crt /etc/ssl/dblb.testcert.com.combined.pem no-sslv3 ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
	mode http
	stats enable
##	stats hide-version
	stats uri /haproxy_stats
	stats realm HAProxy\ Statistics 
	stats auth admin:admin_pwd
	stats admin if TRUE

Thanks once again for the help

Cheers,
R.W


#5

#6

@lukastribus thanks…I found that last night and it helped! :slight_smile:

Thanks for all the help