Teknikal's_Domain

#<NTA:NnT:SSrgS:H6.6-198:W200-90.72:CBWg>

Adventures in HAProxy

2019-09-10 11 min read Behind the scenes Network maintenance Teknikal_Domain Unable to load comment count

For those of you that do not know, haproxy is an amazing little piece of kit that can proxy HTTP and arbitrary TCP connections. It’s also so customizeable that I’m practically using it as my main NAT to my network, and do indeed refer to it internally as the “border gateway.” With one exception (SSH, more on that later), everything that comes into the TD-StorageBay network, yes, that includes this site too, passes through that one process. However, HA cannot do everything… and I feel that I’m pushing its limits. Not in the “sheer workload” sense, no, I am way far off from that. I mean in the old Mythbusters style “using things in ways for which they were never intended” manner.

First problem: SSH

For those unaware, SSH (Secure SHell) is a method of gaining a shell (login and console) on a remote server.And yes, it’s secure. Who would have guessed? Two TDSB servers have external-facing SSH access: the primary domain (GitLab) and Gen (literally everything else except mail and IRC). Not a gripe with HAProxy exactly, but it’s relevant: SSH has no SNI or Host mechanism like TLS or HTTP does. You connect to a port and begin an immediate exchange, there is no “I’m looking for gen.tdstoragebay.com not tdstoragebay.com” in that. This can easily be solved by mapping one to a different port instead of the default (port 22), that won’t cause too much user hassle. That’s actually not the issue.

The issue here is that, along with any other remote login service, it’s a rather high value target for hackers to find valid SSH credentials and gain access to a system. As such, SSH services are very prone to attack (Note to self, maybe make a post on the dumb names I’ve seen tried…). This would be okay, except… well I can’t log it. If SSH passes through HAProxy, then suddenly HAProxy’s IP is all over the logs. And with the advent of systems like fail2ban, I’ll just ban my proxy, which isn’t really useful.

Now some of you are probably about to point out the PROXY protocol. Yes, I know it exists. And nope, it doesn’t work. sshd, the SSH server, does not support PROXY. Here’s the start of an example connection:

C: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
S: SSH-2.0-OpenSSH_7.4
<key exchange follows>
...

And here is what happens when I try to send a PROXY string using telnet:

$ telnet 192.168.5.20 22
Trying 192.168.5.20...
Connected to 192.168.5.20.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
PROXY TCP4 45.89.234.81 192.168.5.20 45310 22
Protocol mismatch.
Connection closed by foreign host.

No dice, cue the sad trombone. sshd will not accept the PROXY header, and… as far as I can tell, it’s really not a priority feature.

Workaround

Simple: I already have a NAT in front of HA. I’ll just DNAT the two SSH ports to bypass it entirely, problem solved.

This also clears up a few things, since HA wasn’t really meant for long-running TCP connections, since it only logs at the end of a session… unless you specified logasap, but that makes my log parsing a pain, and takes off a fair amount of useful information (like byte counts).

Second Problem: Conditional Response Headers

HA is set up to add a LOT of response headers on any connection. HSTS if secure, and a few other famous ones: CSP, XSS-Protection, Frame-Options, Expect-CT, NEL, there’s quite a few. And well… sometimes I don’t want them there. Prime example: mail server.

The mail server

mail.tdstoragebay.com is special… RoundCube (the webmailer) displays the contents of your emails in an iframe… which works until you block iframes. It uses inline scripts and styles, which work…. until the CSP rejects them. And because how HAProxy handles requests, I do not have access to request information in the response. This means that I cannot use an ACL with req.hdr(Host) -m beg mail for my http-response set-header because… the request is not available at this processing step. I can’t (easily, to the best of my knowledge) just filter on backend servers, so I made a workaround… add a new header.

In my Apache config, there’s a line that looks something like this:

Header set always Lax-Mail-Security true

This means that any response from the mail server will include Lax-Mail-Security: true in it. If HAProxy sees this header, then it will change it’s various security headers, and just delete that one.

A very weird way of doing things if you ask me. Why do I need to edit each server’s configuration to add an identification header when… well, host already exists, unless I’m supposed to just echo that on the backend?

Third Problem: Dealing with Multiple Domains

Note that when I say multiple domains, I do not mean subdomains. That’s rather easy to accomplish. No, I’m talking about two completely different domains…. like tdstoragebay.com and teknikaldomain.me going through the same proxy.

Header Troubles

So first off… tdstoragebay.com has a lot of security headers… I mean just look at this:

HTTP/2 302
date: Sat, 14 Sep 2019 22:28:53 GMT
content-type: text/html; charset=utf-8
cache-control: no-cache
location: https://tdstoragebay.com/users/sign_in
x-request-id: Ltyfta2FZN9
x-runtime: 0.022560
x-ua-compatible: IE=edge
vary: Accept-Encoding
x-varnish: 729557
age: 0
via: 1.1 varnish (Varnish/6.2)
content-length: 104
content-security-policy: default-src https: 'self' 'unsafe-inline'; img-src * data:; script-src 'self' https: 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri https://tdstoragebay.report-uri.com/r/d/csp/enforce
server: TD-StorageBay Border Ingress
report-to: {group:default,max_age:31536000,endpoints:[{url:https://tdstoragebay.report-uri.com/a/d/g}],include_subdomains:true}
nel: {report_to:default,max_age:31536000,include_subdomains:true}
expect-ct: enforce, max-age=86400, report-uri=https://tdstoragebay.report-uri.com/r/d/ct/enforce
strict-transport-security: max-age=31536000;includeSubdomains;preload
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: sameorigin
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block; report=https://tdstoragebay.report-uri.com/r/d/xss/enforce
x-robots-tag: noindex, nofollow

Everything from content-security-policy on down is for security… maybe I’ll make a post at a later date detailing what each of those does. For now though, it’s sufficient to know that they’re here… and they are specific to tdstoragebay.com and not any other domain name!

Just as an example, at the time of writing, when vising teknikaldomain.me (right here!), the content-security-policy header prevents you from loading all the required fonts and icons, strict-transport-security is advertising preload which this site is not (though maybe it should be), server shows TDSB, though that’s not actually a security header (nor is it important that it technically has the wrong name, it’s pretty much ignored), the nel and report-to headers, for reporting errors and CSP violations, well… they’re for reporting tdstoragebay.com infractions which muddy my reports, and half the time are just plain useless.

Not to mention, since other domains actually use Cloudflare for more than just DNS, CF’s headers and systems start to clash with mine, and…. it’s a mess.

So as seen above, with conditional response headers, the problem becomes how to actually modify headers when the primary way of identifying what the headers go to cannot be seen. Well, there’s a few solutions.

Solution 1: Internal Headers

And this was my solution for the above section: send a header that’s checked by the proxy, used as a conditional, and then deleted before it reaches the client. This works well, but this also means I’d need to edit every TDSB server to send a header, or I’d need to edit every non-TDSB server to send a header, and use that as the conditional. While yes, this would definitely work, for one, I cannot (easily) add custom headers to GitLab output. The counterpart, make every non-TDSB server send a header is easy… I have one server, and since this one is actually running Nginx not Apache , that’s easy to add. The problem is that it’s not easily able to be scaled. Every new server is going to need to implement this header. Because of this… not my solution.

Solution 2: Further Upstream

HAProxy isn’t the only step in request routing, there’s also a local Varnish cache that everything passes through. Yes, it is configured to bypass it if it goes down (though if Varnish is down, that usually means we have other issues.) I could simply use a lot of set resp.http.<header> = <value>; in my top level VCL (More on modular VCL in another post), and take HAProxy out of this entirely. The issue is that any change requires reloading and swapping VCL modules, which, while not hard, isn’t as simple as changing one single line and systemctl reload haproxy. So while entirely possible, I didn’t go with this only because it’s just more complexity. Plus, some headers are best set by HAProxy which actually knows details about the incoming client request, so then I’d have two things setting headers, and…. yeah no, I’ll pass.

Solution 3: Varnish to HAProxy Internal Header.

This is probably the most hacky of them all. You see, Varnish is only used for tdstoragebay.com, other domains use Cloudflare for most of the work, let’s me focus most of my configuration and effort on my main website. This also means that caching on my end is technically not required, and so Varnish is only used for tdstoragebay.com. What this means is that in my top level VCL I can add one line… say set resp.http.tdsb = "1"; or something, some header that will never occur naturally (value is unimportant), and test for its existence with HAProxy and then set headers there. This is the most flexible solution, since it works by default for any other domain, and to get the headers to work, I just need to make sure requests are routed to the varnish backend in HA, and Varnish itself is configured to accept them. There is, however, potentially one better solution.

Solution 4: Set Headers in Backend

Let’s look at two chunks of my HAProxy configuration:

listen web
    description Singular HTTP entrypoint for all domains
    mode http
    timeout tunnel 60m
    acl mail-backend res.hdr(Lax-Mail-Security) -m found
    acl cache-down nbsrv(varnish) lt 1
    acl has-host req.hdr(Host) -m sub tdstoragebay.com
    acl acme path_beg /.well-known/acme-challenge
    acl vcs req.hdr(Host) -m beg cvs svn darcs hg bk mtn bzr
    option http-use-htx
    option forwardfor
    bind :80
    bind :443 alpn h2,http/1.1 ssl crt /etc/haproxy/wildcard.pem crt /etc/haproxy/tdstoragebay.pem crt /etc/haproxy/mattermost.pem crt /etc/haproxy/gen.pem crt /etc/haproxy/mail.pem crt /etc/haproxy/teknikaldomain.pem ssl-min-ver TLSv1.1 ssl-max-ver TLSv1.3
    bind :9000 alpn http/1.1 ssl crt /etc/haproxy/wildcard.pem ssl-min-ver TLSv1.1 ssl-max-ver TLSv1.3
    bind :5050 alpn http/1.1 ssl crt /etc/haproxy/tdstoragebay.pem ssl-min-ver TLSv1.1 ssl-max-ver TLSv1.3
    http-request redirect scheme https code 301 if !{ ssl_fc } !acme
    http-request redirect location https://plantuml.tdstoragebay.com/plantuml/ code 302 if { req.hdr(Host) -m beg plantuml } !{ path -m beg /plantuml/ }
    http-request redirect location https://cvs.tdstoragebay.com/viewvc code 302 if { req.hdr(Host) -m beg cvs } { path / }
    http-request redirect location https://svn.tdstoragebay.com/viewvc code 302 if { req.hdr(Host) -m beg svn } { path / }
    http-request redirect location https://darcs.tdstoragebay.com/darcs code 302 if { req.hdr(Host) -m beg darcs } { path / }
    http-request redirect location https://hg.tdstoragebay.com/hg code 302 if { req.hdr(Host) -m beg hg } { path / }
    http-request redirect location https://monitoring.tdstoreagebay.com:9000/ code 302 if !{ dst_port 9000 } { req.hdr(Host) -m sub monitoring.tdstoragebay.com }
    http-request tarpit if { req.hdr(User-Agent) -m sub SemrushBot AhrefsBot Googlebot bingbot Baiduspider YandexBot AwarioRssBot }
    http-request deny if { path -m beg /server-status }
    http-request deny deny_status 405 if { method TRACE CONNECT }
    default_backend varnish
    use_backend graylog   if { req.hdr(Host) -m sub monitoring.tdstoragebay.com }
    use_backend myblog    if { req.hdr(Host) -m sub teknikaldomain.me }
    use_backend lab       if { req.hdr(Host) -m sub mattermost.tdstoragebay.com } or { dst_port 5050 }
    use_backend local     if acme
    use_backend vcs-web   if vcs { req.hdr(User-Agent) -m sub mercurial darcs bzr SVN BitKeeper }
    use_backend lab       if cache-down !has-host
    use_backend lab       if cache-down { req.hdr(Host) -m beg tdstoragebay.com }
    use_backend mail-web  if cache-down has-host { req.hdr(Host) -m sub mail.tdstoragebay.com }
    use_backend vcs-web   if cache-down has-host vcs
    capture request  header Host len 32
    capture request  header User-Agent len 64
    capture response header X-Varnish len 32
    capture response header Age len 16

    http-response add-header Access-Control-Allow-Origin * if { res.hdr(Web-Key-Directory) -m found }

    http-response set-header Content-Security-Policy default-src\ https:\ \'self\'\ \'unsafe-inline\';\ img-src\ *\ data:;\ script-src\ \'self\'\ https:\ \'unsafe-inline\'\ \'unsafe-eval\';\ upgrade-insecure-requests;\ report-uri\ https://tdstoragebay.report-uri.com/r/d/csp/enforce
    http-response set-header Server TD-StorageBay\ Border\ Ingress
    http-response set-header Report-To {"group":"default","max_age":31536000,"endpoints":[{"url":"https://tdstoragebay.report-uri.com/a/d/g"}],"include_subdomains":true}
    http-response set-header NEL {"report_to":"default","max_age":31536000,"include_subdomains":true}
    http-response set-header Expect-CT enforce,\ max-age=86400,\ report-uri="https://tdstoragebay.report-uri.com/r/d/ct/enforce"
    http-response set-header Strict-Transport-Security max-age=31536000;includeSubdomains;preload if { ssl_fc }
    http-response set-header Referrer-Policy strict-origin-when-cross-origin
    http-response set-header X-Content-Type-Options nosniff
    http-response set-header X-Download-Options noopen
    http-response set-header X-Frame-Options sameorigin
    http-response set-header X-Permitted-Cross-Domain-Policies none
    http-response set-header X-XSS-Protection 1;\ mode=block;\ report=https://tdstoragebay.report-uri.com/r/d/xss/enforce
    http-response set-header X-Robots-Tag noindex,\ nofollow

    http-response del-header Pragma
    http-response del-header X-Powered-By
    http-response del-header Lax-Mail-Security if mail-backend
backend varnish
    description Web cache servers
    mode http
    option httpchk
    server      local 127.0.0.1:6081 check send-proxy-v2 proto h2

You may not be able to understand most of it, but I’ll explain one thing:

Towards the bottom of the first block there’s a few http-response blocks… one for set-header, one for add-header, and one for del-header. Using set and add will add headers (difference isn’t important here), and del removes them. As you can see, most headers here are unconditional: there is no if or unless on those lines. And because this is the frontend declaration, this means that all requests, period, get these tacked on.

Now here’s a thing about HAProxy: I could just as easily add these header modifications in the backend section, meaning only requests that pass through that backend will have the headers added in their response. By copying all the lines to the varnish block, I’ve essentially replicated the same results as solution 3, but with 0 configuration changes to Varnish. Hence why I’ll be using this solution going forward.

comments powered by Disqus