Stats page access: Restrict the stats page to trusted IP addresses only using ACLs:
frontend stats
bind *:8404 ssl crt /path/to/cert.pem
acl allowed_network src 192.168.1.0/24
http-request deny unless allowed_network
stats enable
stats uri /stats
stats refresh 30s
Admin socket binding: Bind admin sockets to localhost only:
global
stats socket ipv4@127.0.0.1:9999 level admin
Interface binding: Bind to specific interfaces rather than all interfaces:
frontend http_front
bind 192.168.1.10:80 # Specific IP instead of *:80
TLS enforcement: Use TLS for all frontend listeners with strong configuration.
Disable unused features: Disable Lua scripting, SPOE (Stateless Protocol Extension) if not needed to reduce attack surface.
Secure stats socket: Protect the stats socket with proper permissions and ACLs:
global
stats socket /var/run/haproxy/admin.sock mode 660 level admin
Strict ACLs: Implement strict ACLs for admin actions and sensitive endpoints:
acl secure_src src -f /etc/haproxy/trusted_ips.txt
http-request deny if !secure_src
Hide version information: Hide HAProxy version in error pages and headers:
global
stats hide-version
Dedicated user: Run HAProxy as a dedicated, low-privilege user:
global
user haproxy
group haproxy
Chroot environment: Use chroot to limit filesystem access:
global
chroot /var/lib/haproxy
File permissions: Set appropriate file permissions on config files, certificates, and private keys:
chmod 600 /etc/haproxy/haproxy.cfg
chmod 600 /path/to/private/key.pem
Resource limits: Set appropriate resource limits in systemd service file:
[Service]
LimitNOFILE=65536
LimitNPROC=32768
Add security headers: Add important security headers to responses:
# In frontend or backend
rspadd Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
rspadd X-Content-Type-Options: nosniff
rspadd X-Frame-Options: DENY
rspadd X-XSS-Protection: 1; mode=block
Remove sensitive headers: Remove potentially sensitive headers:
rspdel Server
rspdel X-Powered-By
Structured logging: Use structured logging for better analysis:
defaults
log-format '{"timestamp":"%T", "client_ip":"%ci", "backend_name":"%b", "server_name":"%s", "request":"%r", "status_code":%ST}'
Log rotation: Implement proper log rotation to prevent disk space issues.
Centralized logging: Forward logs to a centralized logging system for analysis.
Validate configurations: Always validate configurations before applying:
haproxy -c -f /etc/haproxy/haproxy.cfg
Regular updates: Keep HAProxy updated with security patches.
Configuration backups: Maintain secure backups of configuration files.
TCP optimizations: Tune kernel parameters for better performance and security:
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_max_syn_backlog = 8192
Firewall rules: Implement proper firewall rules to limit access to HAProxy ports.