Sanity check on my haproxy.conf file as a reverse proxy for Hugo

Mannekino · January 21, 2021, 2:09pm

Hello,

I’m currently learning some new stuff like building a simple website using Hugo and encrypting it with a Let’s Encrypt certificate. Unfortunately Hugo doesn’t have native support for SSL so I quickly found solutions for this by using HAProxy as a reverse proxy.

I’ve since watched a bunch of videos, read various parts of the documentation and blog posts and some tutorials. It’s a very basic website and I’ve come up with the following configuration for my HAProxy.

Please note I’m running this inside a TrueNAS (FreeBSD) Jail using iocage. I had to change the logging configuration part to get that to work but I managed to find some useful resources for that.

I would like to have a sanity check on my configuration file. How does this look for a basic configuration as a reverse proxy with SSL termination? Should I change anything, or add additional must-have configuration options I might have missed?

I want to use this as a basis for hosting more sites in the future using ACLs.

HAProxy version: HA-Proxy version 2.2.8
Hugo version: Hugo Static Site Generator v0.80.0
OpenSSL version: OpenSSL 1.1.1h

global
        maxconn 1024
        user root
        group wheel
        daemon
        log /var/run/log local0 debug
        ssl-default-bind-options ssl-min-ver TLSv1.2

defaults
        log global
        mode http
        option httplog clf
        option dontlognull
        option logasap
        option http-server-close
        option forwardfor
        timeout connect 10s
        timeout client 30s
        timeout server 30s

frontend hugo_http
        mode http
        log global
        option httplog
        bind *:80
        http-request add-header X-Forwarded-Proto: http
        redirect scheme https code 301 if !{ ssl_fc }
        default_backend hugo

frontend hugo_https
        log global
        option httplog
        bind *:443 ssl crt /usr/local/etc/letsencrypt/live/<domain>/haproxy.pem
        http-request add-header X-Forwarded-Proto: https
        default_backend hugo

backend hugo
        log global
        option httplog
        mode http
        balance roundrobin
        server s1 127.0.0.1:1313

Thank you for your replies!

lukastribus · January 21, 2021, 7:22pm

I would suggest you don’t use option http-server-close, because the default keep-alive-mode will perform better.

There is no point really in adding the X-Forwarded-Proto: http header and specifying the default backend in the http frontend, when you redirect everything to HTTPS anyway.

I would also handle:

mode http
log global
option httplog

in the default section, and remove it everywhere else. You are only duplicating configuration, complicating the configuration unnecessarily.

Mannekino · January 21, 2021, 8:01pm

Thanks

Since I created this topic I’ve been watching and reading even more. I’ve also found the Mozilla SSL Configuration Generator and used it for my HAProxy.

I removed both the forward headers already, should I keep the https one in?

I also put everything in one frontend section. I used the SSL Labs tester to see how my configuration holds up and I got an A-rating. This is how my configuration file looks now:

global
        maxconn 1024
        user root
        group wheel
        daemon
        log /var/run/log local0 debug	
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets        

defaults
        log global
        mode http
        option httplog clf
        option dontlognull
        option logasap
        option forwardfor
        timeout connect 10s
        timeout client 30s
        timeout server 30s

frontend hugo
        bind *:80
        bind *:443 ssl crt /usr/local/etc/letsencrypt/live/<domain>/haproxy.pem
        http-request redirect scheme https unless { ssl_fc }
        http-response set-header Strict-Transport-Security "max-age=15778800; includeSubDomains; preload;"
        default_backend hugo

backend hugo
        log global
        option httplog
        mode http
        balance roundrobin
        server hugo 127.0.0.1:1313

lukastribus · January 21, 2021, 11:19pm

Whether you keep X-Forwarded-Proto: https in there or not depends on whether hugo uses it or not.

Topic		Replies	Views
HTTPS ReverseProxy + Basic authentification Help!	6	2990	October 11, 2017
Ha proxy as reverse proxy as WA for tlsv1.2->tlsv1 Help!	7	1274	January 14, 2020
Running haproxy as non root user i'd like to see logs Help!	3	3468	July 11, 2017
Assistance Needed for HAProxy as Forward Proxy for HTTPS APIs Help!	1	89	September 20, 2024
TLS Termination Help!	9	1886	July 30, 2018

Sanity check on my haproxy.conf file as a reverse proxy for Hugo

Related topics