HAProxy


Using HAProxy to proxy for Open Peer Power allows you to serve Open Peer Power securely over standard ports with HTTP to HTTPS redirection.

Install HAProxy on your server

This will vary depending on your OS. Check out Google for this.

Obtain an SSL certificate

There are multiple ways of obtaining an SSL certificate. Let’s Encrypt is one method. Use Google for this, but a good example of using Certbot can be found here.

HAPRoxy Configuration

The following configuration updates HAProxy defaults for more secure ciphers for SSL and logging and connection timeouts.

Items to update for your deployment:

  • bind: Update the ports HAProxy listens on for forwarding.
  • subdomain.domain.com: Your domain to use
  • ssl crt: The path to your SSL certificate.
  • server opp 127.0.0.1:8123: The IP and port location of your Open Peer Power instance.
global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3
	maxconn 2048
	tune.ssl.default-dh-param 2048

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
	timeout connect 5000
	timeout client  50000
	timeout server  50000
	timeout tunnel  60000    # long enough for websocket pings every 55 seconds
	timeout http-request 5s  # protection from Slowloris attacks

frontend www-http
	bind *:80
	redirect scheme https

frontend www-https
	log /dev/log	local0 debug
	bind *:443 ssl crt /etc/haproxy/certs/MYCERT.pem
	acl opp-acl hdr(host) -i SUBDOMAIN.DOMAIN.COM
	use_backend opp-backend if opp-acl

backend opp-backend
	server opp < Open Peer Power Server IP>:8123

	mode http
	option forwardfor
	http-request add-header X-Forwarded-Proto https
	http-request add-header X-Forwarded-Port 443

Forward Ports

Forward ports 443 and (optionally) 80 to your server on your router.

Do not forward port 8123, HAProxy takes care of securing the connection with HTTPS on 443. If 8123 is forwarded then it will not be secured.

Replace 443 with whatever port you chose to bind to in the configuration if different.

Configure Open Peer Power HTTP Component

In your configuration.yaml file, edit the HTTP component.

http:
  # For extra security set this to only accept connection on localhost if HAProxy is on the same machine
  # server_host: 127.0.0.1
  # Update this line to be your domain
  base_url: https://example.com
  use_x_forwarded_for: true
  # You must set the trusted proxy IP address so that Open Peer Power will properly accept connections
  # Set this to your HAProxy machine IP, or localhost if hosted on the same machine.
  trusted_proxies: <HAProxy IP address here, 127.0.0.1 if same machine>

Restart or Reload HAProxy

Use your OS method of restarting or reloading HAProxy. Use Google for this.