How to use HAProxy as LDAP -> LDAPS forward proxy

I have a collection of smallish internal-facing apps sitting on a server.

I have been asked to ‘secure’ these apps.

The apps currently:

  • provide HTTP service to clients
  • make use of a number of internal SOAP services
  • use LDAP (Active Directory) for user authentication

The various apps are written in Java, Groovy and Python.

Rather than hack each app, I would like to take a more system-based approach and completely interpose HAProxy between them and the rest of the world: I would like to have the apps ONLY talk on localhost and have HAProxy stand in for the apps–to both clients and backend systems. All (certificate) management will then be centralised. I assume that HAProxy will be more efficient at handling SSL/TLS as well…

I believe that I can use HAProxy (…there seem lots of example materials) to handle:

  • reverse proxy https(from world) → http(to localhost) for client access
  • forward proxy SOAP(over http, from localhost) → SOAP(over https, to world) with mutual authentication

I am unsure of the LDAP(from localhost)->LDAPS(to world) aspect.

Is this possible? Are there any HOWTO documents/pages/blogs/… detailing this?

I have seen very few examples of how this might happen. This makes me suspicious that I am trying to do something odd/stupid!

Suggestions/thoughts gratefully received.

(full disclosure: I asked a similar question on the nginx mailing list a little while ago…apologies in advance if this is against community standards [hope not!]. Getting the feeling that HAProxy is capable of meeting the LDAP side of things, where nginx may not be able to do it.)

LDAP with StartTLS: no.

LDAP over SSL: yes, for implicit SSL on ports like port 636 and 3269 and only if the client speaks LDAP over TCP (haproxy won’t translate between LDAP on UDP port and SSL).

Do understand that haproxy doesn’t know anything about LDAP. The only thing it can do is pickup a TCP connection and wrap it in SSL for the backend server. If that is enough for your use-case, you should be good.

I am using HAProxy in front of LDAP already.

It can support both SSL passthrough and/or termination, or translation and without any ssl if you needs to.
There is no difference in regards to how to write the rules for it compared to supporting HTTPS.

Pass_through: SNI extration and then by filtering on the domain name, you proxy it as TCP.

Termination and re-establishing ssl using certificate on the HAProxy and any certificate on the downstream LDAP server: no problems.

Translation from “LDAPS” to LDAP: Not possible as LDAPS is protocol based aswell as encrypted, and LDAP likewise but unencrypted.

Translatuon from StartTLS (LDAP over SSL) to LDAP: Possible as long as the SSL termination is done on HAProxy as the downstream is just the raw unencrypted data from the SSL stream.

I suggests using the SSL passthrough as then it is merely proxying the stream as-is without any alteration or modification.

TLS can only be terminated for implicit TLS, not explicit, therefor SSL termination with a StartTLS protocol is not possible, as explained above.

Implicit TLS is no problem, because we don’t care about the unencrypted protocol.

1 Like

Fair point, and what I meant, not what I wrote. :slight_smile: