Sign in Subscribe

Securing HAProxy: Best Practices for DDoS Protection and SSL Termination

Govind Deshmukh

5 min read
Securing HAProxy: Best Practices for DDoS Protection and SSL Termination

Security is no longer optional when it comes to running websites and applications. With cyber threats becoming more sophisticated every day, your load balancer is often the first line of defense. In this guide, I'll walk you through practical ways to harden HAProxy against attacks while optimizing performance through SSL offloading. Whether you're a seasoned DevOps engineer or just getting started with HAProxy, you'll find actionable tips to keep your infrastructure safe without sacrificing speed.

Why Security Matters at the Load Balancer Level

Your load balancer sits at the edge of your network, making it both your first defense against attacks and a potential target. HAProxy is particularly well-suited for security roles because it can:

  • Inspect and filter traffic before it reaches your application servers
  • Handle SSL/TLS encryption to secure data in transit
  • Limit connection rates to mitigate DDoS attacks
  • Hide your backend infrastructure details from potential attackers

DDoS Protection with HAProxy

Distributed Denial of Service (DDoS) attacks try to overwhelm your servers with massive amounts of traffic. Here's how to configure HAProxy to defend against them:

1. Connection Rate Limiting

One of the simplest yet most effective defenses is to limit how many connections a single IP can make in a given time period:

frontend http_front
    bind *:80
    # Allow 10 connections per second, with a burst of 20
    stick-table type ip size 200k expire 30s store conn_rate(1s)
    acl conn_rate_abuse sc0_conn_rate gt 10
    tcp-request connection reject if conn_rate_abuse
    default_backend web_servers

This configuration:

  • Creates a stick table to track IP addresses
  • Defines an abuse threshold (more than 10 connections per second)
  • Rejects connections from IPs exceeding this threshold

2. Concurrent Connection Limiting

Some attacks use fewer connections but keep them open longer:

frontend http_front
    bind *:80
    # Allow max 20 concurrent connections per IP
    stick-table type ip size 200k expire 30s store conn_cur
    acl conn_abuse sc0_conn_cur gt 20
    tcp-request connection reject if conn_abuse
    default_backend web_servers

3. Using Slow Request Detection

Slowloris attacks try to keep connections open by sending data very slowly:

frontend http_front
    bind *:80
    # Set timeout for request headers to 10 seconds
    timeout http-request 10s
    default_backend web_servers

This forces attackers to send complete requests within 10 seconds, preventing them from holding connections indefinitely.

4. Block Bad Bots and Known Attackers

You can create blacklists of known bad actors:

frontend http_front
    bind *:80
    
    # Load blacklisted IPs from a file
    acl blacklisted src -f /etc/haproxy/blacklist.txt
    http-request deny if blacklisted
    
    # Block common bad bot user-agents
    acl bad_bot hdr(User-Agent) -i "BadBot" "ScrapingBot" "CrawlerBot"
    http-request deny if bad_bot
    
    default_backend web_servers

For more advanced protection, consider integrating with fail2ban or a specialized WAF (Web Application Firewall).

SSL Termination and Offloading

Handling encryption at the HAProxy level offers several benefits:

  • Reduces CPU load on backend servers
  • Centralizes certificate management
  • Allows inspection of HTTPS traffic

Here's how to set it up:

1. Basic SSL Termination Configuration

frontend https_front
    bind *:443 ssl crt /etc/haproxy/certs/example.com.pem
    mode http
    
    # Redirect HTTP to HTTPS
    http-request redirect scheme https unless { ssl_fc }
    
    default_backend web_servers

backend web_servers
    mode http
    server web1 192.168.1.101:80 check
    server web2 192.168.1.102:80 check

The certificate file (example.com.pem) should contain both your certificate and private key concatenated together.

2. Setting Up Multiple Certificates (SNI)

If you're hosting multiple domains, Server Name Indication (SNI) allows HAProxy to serve the right certificate based on the requested domain:

frontend https_front
    bind *:443 ssl crt /etc/haproxy/certs/
    mode http
    default_backend web_servers

Place all your certificate files in the /etc/haproxy/certs/ directory, with each file named after its domain (e.g., example.com.pem).

3. Optimizing SSL Security

To ensure you're using secure protocols and ciphers:

frontend https_front
    bind *:443 ssl crt /etc/haproxy/certs/example.com.pem ssl-min-ver TLSv1.2
    
    # Strong cipher suite (adjust based on your requirements)
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
    
    default_backend web_servers

This configuration:

  • Requires TLS 1.2 or higher
  • Uses only strong ciphers
  • Disables older, insecure protocols

4. HTTP Strict Transport Security (HSTS)

HSTS tells browsers to always use HTTPS for your domain:

frontend https_front
    bind *:443 ssl crt /etc/haproxy/certs/example.com.pem
    
    # Add HSTS header (15768000 seconds = 6 months)
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains"
    
    default_backend web_servers

Combining Security Measures: A Complete Example

Here's a more comprehensive configuration that combines DDoS protection with SSL termination:

This configuration provides a solid foundation for a secure HAProxy setup, with:

  • DDoS protection via rate limiting
  • SSL termination with modern ciphers
  • Security headers for browser protection
  • Bot blocking
  • Protected statistics page

Monitoring Security Events

Setting up security measures is only half the battle - you also need to know when you're under attack:

Enable Detailed Logging

global
    log /dev/log local0 info
    
frontend https_front
    bind *:443 ssl crt /etc/haproxy/certs/example.com.pem
    log global
    capture request header User-Agent len 128
    capture request header Host len 64
    option httplog

This captures important request details, including the User-Agent and Host headers.

Setting Up Alert Thresholds

You can configure HAProxy to log when certain thresholds are exceeded:

frontend https_front
    # Log when connection rate exceeds threshold
    acl high_conn_rate sc0_conn_rate gt 50
    tcp-request connection track-sc0 src
    http-request set-log-level alert if high_conn_rate

Integration with External Tools

For more comprehensive monitoring, consider integrating HAProxy with:

  • Fail2ban to automatically ban IPs based on log patterns
  • ELK Stack (Elasticsearch, Logstash, Kibana) for log visualization
  • Prometheus and Grafana for real-time metrics and dashboards

Fine-Tuning SSL Offloading Performance

SSL operations can be CPU-intensive. Here are some tips to optimize performance:

1. Use Session Caching

global
    # Set SSL session cache size
    tune.ssl.cachesize 50000
    
    # Set SSL lifetime in the cache
    tune.ssl.lifetime 300

This reduces the need for full SSL handshakes on repeat visits.

2. Use OCSP Stapling

OCSP stapling improves SSL performance by including certificate validation information with the handshake:

frontend https_front
    bind *:443 ssl crt /etc/haproxy/certs/example.com.pem ca-file /etc/haproxy/ca-bundle.crt verify optional

3. Hardware Considerations

For high-traffic sites:

  • Consider servers with AES-NI instruction set support for faster encryption
  • For extreme cases, SSL acceleration cards can offload encryption tasks
  • Ensure your HAProxy server has sufficient CPU cores (HAProxy scales well with multiple cores)

Real-World Scenarios: Putting It All Together

E-commerce Site During Black Friday

An e-commerce site expecting heavy traffic during sales events might use:

  • Higher rate limits to accommodate legitimate traffic spikes
  • More aggressive bot detection to prevent inventory scraping
  • Backend connection pooling to reduce database load

API Gateway Protection

When using HAProxy to protect APIs:

  • Add JWT validation for authentication
  • Set stricter rate limits per endpoint
  • Consider different limits for different API keys

Conclusion: Balancing Security and Performance

Securing HAProxy is all about finding the right balance for your specific needs. Too much security can impact performance and user experience, while too little leaves you vulnerable to attacks.

Start with these best practices and then:

  1. Monitor your traffic patterns to establish a baseline
  2. Gradually adjust limits and rules based on your actual usage
  3. Test your configuration under load before going live
  4. Have a plan for quickly adjusting settings during an active attack

Remember that security is a continuous process, not a one-time setup. Regularly review your configuration, update your SSL certificates, and stay informed about new threats and HAProxy features.

Have you implemented security measures with HAProxy? What challenges did you face? Share your experiences in the comments below!

Sign up for more like this.

Enter your email
Subscribe