Firewall rule vs. haproxy

we have a fundamental question about HAPROXY.
In our network there is a Windows server (DC) on which industry software with a web front end runs.
The web front end is only used by employees in the field.
Access is via with user name / password.
… … … … … … … … / orange> mail server
… … … … … … … … /
internet> —> red > iPFire - green> DC + Workstations / Windows
… … … … … … … .\
… … … … … … … …\.blue (WLAN)

Since this is the domain controller, we want to secure the access as much as possible.
Which variant is to be preferred?

a) Access via firewall rule: all networks / port 7443 >> DC / port 443
… this works out of the box

b) Access via HAProxy as reverse proxy port 7443 >> DC / port 443 with certificate on iPFire
… This is a little bit complicated, but could be a little bit more security ?
c) or outsource the web frontend to a separate web server in the orange network
… with connections to databases on the DC … holes in the firewall

Greetings and thanks for your time !


based on my understanding of Windows DCs and HAproxy, I would be surprised to hear this works. Unless, of course, I misunderstood your question. :slight_smile:

This is much, much better than (b), because it completely eliminates the necessity to allow direct connections to your DC, which is the weakest link in your network. In addition, you can run that web server on something more secure (Linux or BSD), which is always a good idea. :slight_smile:

Should you need input on firewalling and IPS configuration, please refer to these two blog posts. Limiting outgoing connections is also crucial, especially when they come from the DC itself. :slight_smile:

Thanks, and best regards,
Peter Müller

Hello, Peter,
So far we have a WindowsWebServer2012 (IIS) in the orange network, in addition to a Linux mail server (nethserver7).
The industry software unfortunately only supports IIS as a web frontend, otherwise we would have put the web frontend on the Nethserver a long time ago. If we only knew how to do it …


well, if this a pure web-based application, you could place a reverse proxy (Nginx is commonly used for such tasks, Apache is popular for it as well) before it even in the orange network.

Application-layer vulnerabilities not taken into account, an attacker needs to compromise two hosts (reverse proxy => IIS server in orange network) before being able to establish an IP connection to your DC. Not optimal, but better than nothing, I guess. :slight_smile:

Thanks for having security in mind - one compromised infrastructure less on the internet. :wink:

Thanks, and best regards,
Peter Müller

Hello, Peter,
thanks for your ideas.
But why not reverse proxy HAPROXY on iPFire ?
The advice of the makers is to use haproxy.

This is only useful if you are running outdated cryptography on the target device. Let’s say your web server only supports TLS 1.0, you can have haproxy terminate the SSL connection and have better protection over the Internet. However, if your software is outdated and not being updated, I would suggest to rather throw it away, because you will have tons of application security issues which won’t be fixed by haproxy.

You could in theory have the IPS check any plain HTTP traffic for SQL injections and so on, but it isn’t guaranteed protection. It is better than nothing though.

Hello, Michael,
… there is an missunderstanding.
The industry software is an actual version, based on MSSQL-Server with Windows-Clients and webfrontend for the workers outside on building sites.
Since 2014 we have the webfrontend in orange net on server win2012, the industry software on domain controller (W2012) in green net.
But now we have to upgrade the systems to Server Win2019 with MSSQL2019-Server and so on … much work and more money.
We look for an idea to minimize the cost - the W2019 webserver IIS is bored … that’s why
a) Webfrontend on DC … I have bellyache
b) the same as 2014: webserver in orange with firewall-holes to MSSQL-Server on DC … I have bellyache … and boss too … but because of cost.