In HAProxy it’s easy to keep a TCP connection pool open (using max-conn), but what I’d like to do is to authenticate every new connection to the backend coming from HAProxy.
The authentication follows a custom binary protocol that performs a three-way handshake (three requests).
Health checks are able to describe such binary protocol request / response sequences using tcp-send and tcp-check but I couldn’t find a way to do this for regular connection openings.
Because it’s an authentication from the HAProxy side and not from the client side.
It seem strange that there are ways to perform hand shakes through the tcp-check and tcp-send mechanisms but not for regular requests.
Do you know of any other reverse-proxy that would let me do this?
I might try with Envoy but haven’t read about their feature support enough to confirm it’s possible.
As @lukastribus suggested the “safest” (and “sanest”) solution for HAProxy-to-server authentication is perhaps using TLS client certificates. (If you need instructions on how, I could provide some help.)
However, although using TLS client certificates provides the “best” security, depending on your threat-model, perhaps “less” secure alternatives could be used, like for example:
checking if each request has a header with a known “secret” value;
or if you are afraid it might be intercepted and used in a “replay attack”, you could use that shared secret to compute a kind of HMAC by using the sha1 converter; use for example the current timestamp as the token to be “signed”;