Is HAProxy appropriate as a firewall?


#1

Hello,

I apologize if I’ve used the wrong category, or if this isn’t the place – I was hoping I could get an answer on the HAProxy site itself from a couple experts.

I’ve been thinking that HAProxy could possibly be used as a firewall. I looked at a number of keywords that can reject source ips, redirect requests, reject based on destination + source, listen to ports, and prevent DDOS. This sounds like a good opportunity for a firewall in addition to its other high availability features.

However, I don’t want to shoehorn my idea and use HAProxy for a use case its not intended for, or limited in its capacity. I’ve seen cases where companies are hamstringed because they use software for an unsupported use case – and then instead of using a proper app, hurt because of this.

While possibly creative, I’m curious to know if it is a supported use case – or simply not a good idea. I’ve seen many times people asking about putting HAProxy behind a firewall, but never using HAProxy as a standalone firewall.

Has anyone done this?


#2

Well that depends on what you expect. Firewall is a very broad term and you’d have to be more specific.

Which service is it that you want to protect and what attack vectors would you like to protect this servers against exactly?


#3

My intention is to put it in front of all our web services, and connectivity to machines.

  • I can route and monitor traffic to the production website, as well as load balance.
  • Prevent any access to the beta websites that do not come from our office.
  • Prevent port access to machines and only allow known ports, like SSH or RDP, if they come from “source” and are headed to “destination”
  • Only access to the DB if it comes from a source machine web application
  • Only allow access to certain machines inside the office to privileged administrator machines
  • Reject requests that have been overly-voluminous in a short amount of time

Basically, I’m interested in controlling access based on a combination of destination and source. I’m looking to deny any access that would not fall within these rules. As well as preventing concurrent requests from destroying a server. As this is the “gatekeeper”, it is imperative that it is highly available. Every application and developer we have would be going through it. I’m not so much looking for banning certain file types, or MIME types – or virus detection.

I’m concerned about network contention, having about 50 DNS point to the same ip and then having HAProxy route accordingly. I could slim that number and separate the IP’s a bit but, its the same concept.

Does that shed more light on my intentions?


#4

Sounds good, as long as the services are incoming HTTP or TCP based services.

Of course you can’t replace an actual IP firewall for outgoing traffic and non-TCP related traffic, but incoming TCP and especially HTTP services will work just fine.


#5

Awesome. Thank you for answering!

As far as I know, my current requirements are purely restricting network traffic across HTTP/HTTPS/TCP so it looks like this could feasible!