Haproxy pour serveur HTTP et SSH

archive

Aujourd’hui je vais vous parler un peu de comment fonctionne le serveur HTTP de systemd.info, une configuration que j’avais envie de partager depuis quelque temps (l’idée originale vient de chmd).

J’aime appliquer la philosophie Unix, utiliser des logiciels simples mais efficaces.

J’ai donc entrepris il y a déjà quelques mois de confier le chiffrement TLS de mon site à haproxy.

Ainsi, chacun son boulot, le serveur web (nginx ou autres) et haproxy pour le chiffrement.

Ce choix me permet d’obtenir la meilleur sécurité possible aujourd’hui au niveau TLS avec le test de QualysLabs https://www.ssllabs.com/ssltest/analyze.html?d=systemd.info&s=5.135.181.176&latest.

Mais que vient faire SSH là dedans? En fait, Haproxy permet d’ajouter une couche TLS sur n’importe quel protocole, il est donc possible de faire du SSH (ou n’importe quoi d’ailleurs) sous TLS.

Bien sûr, ça ne sert à rien au niveau chiffrement (SSH étant déjà un protocole chiffré) ça rajoute juste de l’overhead, par contre, ça peut permettre d’utiliser SSH sur un réseau qui ne laisse passer que le protocole HTTP ou HTTPS.

voir SSH over SSL, episode 4: a HAproxy based configuration

                                                                           
                                                                           
                                                     +----------------+    
                                                     |                |    
                                           +-------> |     NGINX      |    
                                +--------+ |         |                |    
                                |        | |         +----------------+    
                                |        | +         +----------------+    
         HTTPS TCP 443          |        |           |                |    
   +------------------------>   |HAPROXY | +-------> |    Apache      |    
                                |        |           |                |    
                                |        |           +----------------+    
                                |        | +         +----------------+    
                                |        | |         |                |    
                                +--------+ +-------> |    SSH         |    
                                                     |                |    
                                                     +----------------+    
                                                                           

Voici ce qu’il faut configurer pour TLS:

global
	# set default parameters to the Intermediate configuration
	tune.ssl.default-dh-param 2048
	ssl-default-bind-options no-sslv3 #disable SSLv3
	ssl-default-bind-ciphers EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

Et pour la partie de la configuration du serveur http, la documentation est extrêmement complète, et de nombreux exemples existent sur le Net.

Enjoy !