Public Key Pinning is a security feature that tells a web browser to associate a public cryptographic key with a server or servers. When a web browser visits a website for the first time, it will read the HPKP header and store the hashes for the certificates that are provided. Each time the browser then revisits that website, the hash from the provided public key is compared against the stored keys, if the hashes do not match, the web browser should display a warning.
The HPKP header adds protection against man-in-the-middle (MITM) attacks but, if incorrectly configured can make your website display a TLS error for a long period of time.
Here’s a look at what this website publishes as it’s HKPK header.
With haproxy 1.5 finally being released we are lucky enough to get a basic interface around OCSP stapling.
Sadly this interface really is quite basic and it’s not the simplest thing to figure out without some trial and error.
According to the official documentation, you should be able to pipe your OCSP response to haproxy via it’s stats socket. Sadly I could not get this to work properly at all, so I decided to swap the piping for a file and reload solution.
You’ll need to get a copy of your certification authorities root certificate to proceed with this.
Looking for your OCSPURI
If you don’t know the URI you need to do an OCSP lookup against, you can find it in your certificate data.
openssl x509 -in /path/to/your/certificate -text
Inside the output, look for the following section.
This patched version is built using the USE_ZLIB option, allowing for usage of compression or using haproxy as a compression offloader.
Requirements
haproxy requires openssl-1.0.1d or higher.
On a standard Debian 7 install you should have openssl-1.0.1e-2, you can find which version you have by running
dpkg -l openssl
This should return something similar to
ii openssl 1.0.1e-2 amd64 Secure Socket Layer (SSL) binary and related cryptographic tools
Build notes
Builds were done on Debian 7 AMD64, I will not be providing 32bit versions as this is mainly for my own usage and amusement.
This haproxy build is compiled against openssl, providing the npn module, allowing for haproxy to work under SSL/TLS and allowing the use of SPDY/2 and SPDY/3.
This version is available on apt.kura.io or as a manual download, from the link below.
On a standard Debian 7 install you should have openssl-1.0.1e-2, you can find which version you have by running
dpkg -l openssl
This should return something similar to
ii openssl 1.0.1e-2 amd64 Secure Socket Layer (SSL) binary and related cryptographic tools
Build notes
Builds were done on Debian 7 AMD64, I will not be providing 32bit versions as this is mainly for my own usage and amusement.
This haproxy build is compiled against openssl, providing the npn module, allowing for haproxy to work under SSL/TLS and allowing the use of SPDY/2 and SPDY/3.
This version is available on apt.kura.io or as a manual download, from the link below.
By default haproxy enables stateless SSL session resumption, but you can enable stateful session resumption in accordance with RFC 5077. This functionality, like the SSL handling it relies on is only available from haproxy 1.5.
Configuration
The option to enable stateful SSL session resumption is as below
no-tls-tickets
You will need to add it in to your bind line, like below
I have previously written an article on using SPDY with haproxy but have been spending some time recently being annoyed that the SPDY check tool said I didn’t advertise a fall back to HTTP over SSL in the NPN protocol list.
After some digging I discovered it was actually quite simple to advertise multiple protocols using npn and haproxy.
Previously my article called for using the following section of configuration at the end of the bind line.
npn spdy/2
To advertise HTTP protocols as well as SPDY you simply need to add them to the npn list, using commas as a delimiter.
I decided I would take things a little further and poke around with haproxy some more. The initial plan was to compile the latest dev source of haproxy with SSL termination enabled.
In doing so I realised I would lose SPDY support, which upset me a little. After some digging I found that the 1.5-dev branch of haproxy supports npn and thus can handle SPDY.
I tweaked my builds a little more and managed to get haproxy running as an SSL terminating load balancer, with SPDY connections being sent off to my nginx servers with SPDY enabled and all other non-SPDY connections were passed on to an nginx virtual host with SPDY disabled.
Requirements
I have released my haproxy build as a debian file below …