I have a collection of smallish internal-facing apps sitting on a server.
I have been asked to ‘secure’ these apps.
The apps currently:
- provide HTTP service to clients
- make use of a number of internal SOAP services
- use LDAP (Active Directory) for user authentication
The various apps are written in Java, Groovy and Python.
Rather than hack each app, I would like to take a more system-based approach and completely interpose HAProxy between them and the rest of the world: I would like to have the apps ONLY talk on localhost and have HAProxy stand in for the apps–to both clients and backend systems. All (certificate) management will then be centralised. I assume that HAProxy will be more efficient at handling SSL/TLS as well…
I believe that I can use HAProxy (…there seem lots of example materials) to handle:
- reverse proxy https(from world) → http(to localhost) for client access
- forward proxy SOAP(over http, from localhost) → SOAP(over https, to world) with mutual authentication
I am unsure of the LDAP(from localhost)->LDAPS(to world) aspect.
Is this possible? Are there any HOWTO documents/pages/blogs/… detailing this?
I have seen very few examples of how this might happen. This makes me suspicious that I am trying to do something odd/stupid!
Suggestions/thoughts gratefully received.
(full disclosure: I asked a similar question on the nginx mailing list a little while ago…apologies in advance if this is against community standards [hope not!]. Getting the feeling that HAProxy is capable of meeting the LDAP side of things, where nginx may not be able to do it.)