HAProxy Security Guide
- Added a basic HAProxy security guide. Guide is light due to using TCP mode. Change-Id: Ic5d5126c6ca45112acad640826fdbbb2b0e080f4
This commit is contained in:
parent
22691950d4
commit
873a050f70
@ -48,3 +48,4 @@ Airship Security Topics
|
||||
:maxdepth: 1
|
||||
|
||||
template
|
||||
haproxy
|
||||
|
55
doc/source/security/haproxy.rst
Normal file
55
doc/source/security/haproxy.rst
Normal file
@ -0,0 +1,55 @@
|
||||
..
|
||||
Copyright 2018 AT&T Intellectual Property.
|
||||
All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
not use this file except in compliance with the License. You may obtain
|
||||
a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
License for the specific language governing permissions and limitations
|
||||
under the License.
|
||||
|
||||
.. _haproxy_security_guide:
|
||||
|
||||
HAProxy Security Guide
|
||||
======================
|
||||
|
||||
Updated: 13-AUG-2018
|
||||
|
||||
This guide covers configurations for HAProxy. Specifically, in ``mode tcp``.
|
||||
|
||||
.. contents:: :depth: 2
|
||||
|
||||
Security Item List
|
||||
------------------
|
||||
|
||||
TCP Mode
|
||||
^^^^^^^^
|
||||
|
||||
The instance will work in pure TCP mode. A full-duplex connection will be
|
||||
established between clients and servers, and no layer 7 examination will be
|
||||
performed. This is the default mode. It should be used for TLS.
|
||||
|
||||
Max Connections
|
||||
^^^^^^^^^^^^^^^
|
||||
|
||||
Set ``maxconn`` in ``global`` to a reasonable level. HAProxy will queue
|
||||
requests beyond that value.
|
||||
|
||||
Set Headers
|
||||
^^^^^^^^^^^
|
||||
"set-header" does the same as "add-header" except that the header name is first
|
||||
removed if it existed. This is useful when passing security information to the
|
||||
server, where the header must not be manipulated by external users. Note that
|
||||
the new value is computed before the removal so it is possible to concatenate a
|
||||
value to an existing header.
|
||||
|
||||
References
|
||||
----------
|
||||
|
||||
HAProxy Configuration Guide - http://cbonte.github.io/haproxy-dconv/1.8/configuration.html
|
Loading…
Reference in New Issue
Block a user