From 2f5a15eef53786c7521e8704d073163dc85f3a4b Mon Sep 17 00:00:00 2001 From: Robert Helewka Date: Tue, 9 Jun 2026 22:52:23 -0400 Subject: [PATCH] chore(haproxy,terraform): harden haproxy stats and pin incus provider - Add maxconn limit and HTTP timeouts to mitigate slowloris attacks - Restrict stats endpoint to internal LAN and localhost only - Hide HAProxy version on stats page - Pin Incus Terraform provider to ~> 1.0 for stability --- ansible/haproxy/haproxy.cfg.j2 | 11 ++++++++++- terraform/versions.tf | 1 + 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ansible/haproxy/haproxy.cfg.j2 b/ansible/haproxy/haproxy.cfg.j2 index 3607002..161175c 100644 --- a/ansible/haproxy/haproxy.cfg.j2 +++ b/ansible/haproxy/haproxy.cfg.j2 @@ -9,6 +9,7 @@ global log /dev/log local0 log /dev/log local1 notice stats timeout 30s + maxconn 4096 # Ubuntu systemd service handles user/group and daemonization # Default SSL material locations @@ -30,17 +31,25 @@ defaults timeout connect 5s timeout client 50s timeout server 50s + # Slowloris protection: cap time to receive the full request/keep-alive idle + timeout http-request 10s + timeout http-keep-alive 10s # Stats page with Prometheus metrics listen stats bind *:{{ haproxy_stats_port }} mode http + # Restrict to the Ouranos LAN + localhost (Alloy scrapes via localhost). + # Belt-and-suspenders alongside host-level firewalling. + acl from_internal src 10.10.0.0/16 127.0.0.0/8 + http-request deny unless from_internal stats enable stats uri /metrics stats refresh 15s stats show-legends stats show-node - + stats hide-version + # Prometheus metrics endpoint http-request use-service prometheus-exporter if { path /metrics } diff --git a/terraform/versions.tf b/terraform/versions.tf index 37f72c4..6ebbcda 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -4,6 +4,7 @@ terraform { required_providers { incus = { source = "lxc/incus" + version = "~> 1.0" } } }