HAProxy Stats over HTTPS only

rw75 · September 2, 2016, 4:29pm

hi,

Absolutely new to HAProxy and I am trying to get the HAProxy stats over https. As a matter of fact I want HAProxy stats to be accessible ‘only’ over https. Can anyone give me some pointers? The current config is shown below and works well on port 8888 but I need it over SSL. I have created the .pem certificate too

listen mariadb_cluster_writes 0.0.0.0:12206
## A failover pool for writes to ensure writes only hit one node at a time. 
        mode tcp
        option httpchk 
        server node_1 192.168.xxx.xxx:3306 check port 9200
        server node_2 192.168.xxx.xxx:3306 check port 9200 backup 
        server node_3 192.168.xxx.xxx:3306 check port 9200 backup

listen mariadb_cluster_reads 0.0.0.0:12208
## A load-balanced pool for reads to utilize all nodes for reads.
        mode tcp
        balance leastconn 
        option httpchk
	server node_1 192.168.xxx.xxx:3306 check port 9200
        server node_2 192.168.xxx.xxx:3306 check port 9200
        server node_3 192.168.xxx.xxx:3306 check port 9200

listen stats 0.0.0.0:8888
## HAProxy stats web gui.
	mode http
	stats enable
	stats hide-version
	stats uri /haproxy_stats
	stats realm HAProxy\ Statistics 
	stats auth haproxy:haproxy
	stats admin if TRUE

Thanks,
R.W

lukastribus · September 6, 2016, 1:43pm

Don’t specify the listening socket on the listen line, but use a dedicated bind statement. Then you can enable all SSL options you like.

listen stats
	bind 0.0.0.0:8888 ssl crt /bla/ble/cert.pem
	mode http
	stats enable

rw75 · September 7, 2016, 5:17am

thanks @lukastribus, let me give that a try

rw75 · September 7, 2016, 8:43pm

hi, it works but that brings me to another little question - how do I enable HSTS in HAProxy 1.5? My haproxy.cfg goes like this

listen stats
## HAProxy stats web gui.
	bind 0.0.0.0:443 ssl crt /etc/ssl/dblb.testcert.com.combined.pem no-sslv3 ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
	mode http
	stats enable
##	stats hide-version
	stats uri /haproxy_stats
	stats realm HAProxy\ Statistics 
	stats auth admin:admin_pwd
	stats admin if TRUE

Thanks once again for the help

Cheers,
R.W

lukastribus · September 9, 2016, 7:16am

rw75 · September 9, 2016, 10:08am

@lukastribus thanks…I found that last night and it helped!

Thanks for all the help

Topic		Replies	Views
Stats Socket Issue haproxy -v 2.0.26 Help!	0	285	December 29, 2021
HTTP mode with SSL for Geth RPC Help!	0	327	January 13, 2024
Can't get HAPROXY to send stats or info data to Metricbeat Help!	0	237	April 8, 2024
Stats socket reporting empty stats Help!	1	1329	June 29, 2018
TLS Passthrough with new port listening and RPC filtering Help!	7	973	December 12, 2018

HAProxy Stats over HTTPS only

Related topics