In HAProxy, ssl_fc is used within ACL in order check conditions related to SSL/TLS connections. Read the article to learn more. At Bobcares, with our Server Management Service, we can handle your issues.

Overview

1. ssl_fc in HAProxy ACLs: An Introduction
2. Using ssl_fc in HAProxy ACLs
   • Basic Usage
   • Advanced Usage
3. Benefits of ssl_fc in HAProxy ACL
4. Conclusion

ssl_fc in HAProxy ACLs: An Introduction

The ssl_fc keyword in HAProxy is used in Access Control Lists (ACLs) in order to assess SSL/TLS connection-related conditions. The term “SSL from client,” or “ssl_fc,” specifically means the condition verifies if the connection between the client and the HAProxy frontend is encrypted using SSL/TLS.

Using ssl_fc in HAProxy ACLs

Basic Usage

ssl_fc is a keyword in HAProxy ACLs used to determine if the incoming client connection is encrypted. It also helps in directing traffic, applying security policies, or modifying behavior based on the connection’s security.

Example:

Redirecting HTTP to HTTPS: A common use case for ssl_fc is redirecting HTTP traffic to HTTPS in order to ensure secure communication. For example;

Frontend Configuration:

haproxy

frontend http-in
bind *:80
bind *:443 ssl crt /etc/haproxy/certs

# Define an ACL to check if the connection is not using SSL
acl is_not_secure ssl_fc,not

# Redirect HTTP to HTTPS if the connection is not secure
http-request redirect scheme https if is_not_secure

default_backend servers

Backend Configuration:

haproxy

backend servers
server server1 192.168.2.2:80 check
server server2 192.168.2.3:80 check

Explanation:

i. The Bind Statements:

bind *:80: Listens on HTTP port 80.

bind *:443 ssl crt /etc/haproxy/certs: Listens on HTTPS port 443 with SSL enabled, using the certificate at /etc/haproxy/certs.

ii. ACL Definition:

acl is_not_secure ssl_fc,not: Checks if the connection is not using SSL. The ssl_fc keyword checks if SSL is used, and not inverts the condition.

iii. HTTP to HTTPS Redirection:

http-request redirect scheme https if is_not_secure: Redirects HTTP requests to HTTPS if the connection is not secure.

Advanced Usage

Enforcing Client Certificate Authentication: We can also enforce client certificate authentication using ssl_fc to ensure a client certificate is present as well as valid.

Frontend Configuration:

haproxy

frontend https-in
bind *:443 ssl crt /etc/haproxy/certs ca-file /etc/haproxy/ca.pem verify required

# Define ACL to check if the SSL client certificate is verified
acl client_cert_verified ssl_c_used ssl_c_verify 0

# Deny access if the client certificate is not verified
http-request deny if !client_cert_verified

default_backend servers

Explanation:

i. Bind Statement with Client Certificate Authentication:

bind *:443 ssl crt /etc/haproxy/certs ca-file /etc/haproxy/ca.pem verify required: Configures HAProxy so as to listen on port 443 with SSL and verify client certificates using the CA file. The verify required option also enforces client certificate verification.

ii. ACL Definition for Client Certificate Verification:

acl client_cert_verified ssl_c_used ssl_c_verify 0: Checks if a client certificate is used (ssl_c_used) and also successfully verified (ssl_c_verify 0).

iii. Deny Access if Client Certificate is Not Verified:

http-request deny if !client_cert_verified: Denies access if the client certificate is not verified.

Logging SSL Information: We can use ssl_fc in order to log SSL-related information for monitoring as well as debugging.

Frontend Configuration:

haproxy

frontend https-in
bind *:443 ssl crt /etc/haproxy/certs

# Log SSL details
log-format "%ci:%cp [%t] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r ssl_version:%sslv ssl_cipher:%sslc ssl_c_verify:%sslvf"

default_backend servers

Explanation:

i. Log Format:

log-format “%ci:%cp [%t] %ft %b/%s … ssl_version:%sslv ssl_cipher:%sslc ssl_c_verify:%sslvf”: This format logs SSL version (%sslv), SSL cipher (%sslc), and client certificate verification status (%sslvf), along with standard logging information.

Benefits of ssl_fc in HAProxy ACL

1. Enhanced Security:

Detection of Secure Connections: ssl_fc helps identify whether incoming client connections are encrypted. This also allows us to enforce security measures such as HTTPS.

Client Certificate Authentication: By enabling client certificate verification to be enforced, it can also make sure that only clients with access can access certain resources.

2. Traffic Management:

Redirection from HTTP to HTTPS: Encrypt as well as protect all data transported by means of an automatic redirection from HTTP to HTTPS.

Conditional Routing: Identify between HTTP and HTTPS connections by routing traffic according to its security level.

3. Improved User Experience:

Seamless Transitions: By automatically redirecting to HTTPS, users can also experience a seamless transition to secure connections without manual intervention.

Better Performance: SSL termination at HAProxy also allows for optimized performance by offloading SSL processing from backend servers.

4. Comprehensive Logging:

Detailed SSL Information: Log specific SSL details such as version, cipher, and certificate verification status, aiding in monitoring, debugging, as well as compliance reporting.

Custom Log Formats: Tailor log formats so as to include essential SSL-related information, providing insights into connection security.

5. Scalability and Flexibility:

Easy Configuration: Configuring ACLs with ssl_fc is straightforward, thus, allowing for flexible and scalable setups that cater to various security policies as well as application needs.

Adaptable Security Policies: Quickly adjust security policies in order to meet evolving requirements, such as implementing new encryption standards or authentication methods.

6. Reduced Risk:

Mitigation of Man-in-the-Middle Attacks: By enforcing HTTPS, ssl_fc also helps protect against man-in-the-middle attacks that can intercept unencrypted data.

Consistent Security Posture: It also maintain a consistent security posture across different environments by ensuring secure communication channels.

7. Compliance and Trust:

Meet Regulatory Requirements: Adhering to security best practices and regulatory requirements (e.g., GDPR, PCI-DSS) is much easier with enforced HTTPS connections.

Build User Trust: Offering secure connections builds user trust, enhancing the reputation and reliability of the website as well as application.

8. Load Balancing and SSL Offloading:

Centralized SSL Management: It also offload SSL processing to HAProxy, reducing the load on backend servers and simplifying certificate management.

Efficient Resource Usage: Optimize resource utilization by handling SSL/TLS termination at the load balancer level. Hence, frees up backend resources for app processing.

9. Granular Access Control:

Fine-Grained Policies: It also carry out granular access control policies based on SSL parameters, thus, allowing for nuanced security measures tailored in order to specific use cases.

Dynamic Access Decisions: Also, make dynamic access decisions in real-time based on the security status of incoming connections.

[Looking for a solution to another query? We are just a click away.]

Conclusion

In conclusion, a secure and flexible method for boosting security, controlling traffic, optimizing user experience, as well as complying to legal guidelines is to employ ssl_fc in HAProxy ACLs. It also keeps excellent speed and scalability while enabling effective SSL management.

This article offers the details of basic as well as advanced usage of ssl_fc in HAProxy ACL from our Tech team.