HAProxy community

How to peform connection authorization handshake?

Hi everyone,

In HAProxy it’s easy to keep a TCP connection pool open (using max-conn), but what I’d like to do is to authenticate every new connection to the backend coming from HAProxy.

The authentication follows a custom binary protocol that performs a three-way handshake (three requests).

Health checks are able to describe such binary protocol request / response sequences using tcp-send and tcp-check but I couldn’t find a way to do this for regular connection openings.

Can anybody enlighten me?

Why would your client not support your own authentication protocol?

This cannot be done with haproxy, it’s not supported.

Because it’s an authentication from the HAProxy side and not from the client side.
It seem strange that there are ways to perform hand shakes through the tcp-check and tcp-send mechanisms but not for regular requests.

Do you know of any other reverse-proxy that would let me do this?
I might try with Envoy but haven’t read about their feature support enough to confirm it’s possible.

There is SSL for this. I never heard of proprietary authentication protocols between a proxy and a backend server.

Not to me it doesn’t, those mechanisms are required to health check protocols other than HTTP, which is quite common.

Having the proxy authenticated itself to the backend by using a proprietary TCP protocol on the other hand, that seems rather strange to me.

No, I never heard anyone even requiring such a feature, let alone products implementing it.

I’m not sure if LUA could help here, but if I where you, I’d go back to the drawing board and reconsider this requirement.

As @lukastribus suggested the “safest” (and “sanest”) solution for HAProxy-to-server authentication is perhaps using TLS client certificates. (If you need instructions on how, I could provide some help.)

However, although using TLS client certificates provides the “best” security, depending on your threat-model, perhaps “less” secure alternatives could be used, like for example:

  • checking if each request has a header with a known “secret” value;
  • or if you are afraid it might be intercepted and used in a “replay attack”, you could use that shared secret to compute a kind of HMAC by using the sha1 converter; use for example the current timestamp as the token to be “signed”;