Latest How to configure HAProxy's Proxy Protocol with Squid A customer asked me the other day how to set up Squid Proxy Protocol on their Loadbalancer appliance.
How-tos Client Certificate Authentication with HAProxy Using client certificates for security is a pretty cool idea! You can protect an entire application or even just a specific Uniform Resource Identifier (URI) to only those that provide a valid client certificate...
WAF Load Balancing Nginx Web Servers with OWASP Top 10 WAF in Azure SSL offload is handled by STunnel, while HAProxy handles back-end server re-encryption...
Security How to stop web form spam — use a simple honey pot trap in ModSecurity... How frustrating do you find it when hackers or robots fill in your website forms with "Buy Viagra Now!" type spam?..
Security Stack Clash and Loadbalancer.org The long and short of it is, there are updates to the Linux kernel and glibc packages which will 'fix' the issue..
How-tos Transparent vs Explicit proxy — which method should I use? Different vendors have widely different opinions on which method should be used to deploy web filters or SWGs. Historically, vendors struggled to implement authentication in Transparent mode, and maybe they remember some awkward conversations with customers that chose the wrong method...
Security Blocking Japan with ModSecurity and Maxmind Lite The Web Application Firewall is based on ModSecurity which is an open source WAF for Apache, IIS, and Nginx for protecting against a many variety of attacks and allows for HTTP traffic monitoring and logging...
High Availability Disaster recovery is more important than HTTPS SNI support... SNI is an extension to the TLS protocol which enables the client to broadcast its hostname when it tries to connect to your server. This allows you to use multiple SSL certificates on a single IP...
Security New PuTTY vulnerability "vuln-ech-overflow" identified - upgrade to 0.66 to protect your environment Due to the way that PuTTY uses a signed integer variable to store the number of characters to be erased and there was inadequate checking for overflow, there was the potential for an attacker to corrupt important data in certain circumstances...
Security Blocking invalid range headers using ModSecurity and/or HAProxy (MS15-034 - CVE-2015-1635) Anomaly score based blocking is more flexible and effective than simple first error blocking...
Security Simple Denial of Service DOS attack mitigation using HAProxy Denial of Service (DOS) attacks can be used to degrade or cripple the functionality of a site...
Security How do I get an A+ from Qualys SSL, but keep FIPS compliance as well? Is getting an A+ rating with the Qualys scanner starting to feel a bit like chasing a mythical unicorn? Every time you get close to catching and keeping the beast — it run's away and they change the rules again!..
Security Shell-shocked by shell shock? I give you "CMD Caret" ^& There seems to have been so much hype over the recent bash bug, shell shock! And there were all the people in the Microsoft world thinking YES we are so cool we are NOT affected by it!..
Security Heartbleed 2.0? Not exactly but more OpenSSL issues have been found Whilst the Heartbleed bug was relatively easy to exploit, the latest batch of bugs are not...
Security Loadbalancer.org releases patch for the OpenSSL heartbleed vulnerability CVE-2014-0160 To ensure complete protection all SSL certificates that have been used with a vulnerable version of OpenSSL should be regenerated using a new private key...
Security Why did my Loadbalancer just fail the PCI compliance test? Let me first say that I'm not really a fan of PCI scanners. It's not so much that I'm anti security scanners but rather that scanning for vulnerabilities based on only the version number a package returns seems rather simplistic to me...
Security Secure Your Web Servers: SSL Termination and BEAST The BEAST attack is a practical attack based on a protocol vulnerability and mainly affects the client side...
WAF For any poor sod who needs to deal with the PCI Data Security Standard (PCI DSS) Any engineer dealing with PCI DSS compliance issues probably looses a little bit of the joy in life...
HAProxy Transparent proxy of SSL traffic using Pound to HAProxy backend patch and how-to I've previously blogged about how to get TPROXY and HAProxy working nicely together, but what if you want to terminate SSL traffic on the load balancer to use HAProxy to insert cookies in the standard HTTP stream to the backend servers?..