Setting Security Headers in HAProxy

Cloudflare, Nginx, HAProxy, and Caddy

Kyle Takeuchi

I am very interested in learning new technologies, and coming from a networking background I've never had much of an opportunity to dabble with webservers at work. I originally intended to simply use Caddy to serve the website, however the more I researched, the more I found information on Nginx and HAProxy. I didn't want to focus on a single technology to host the site so I decided to use all three! I'm using HAProxy as a frontend loadbalancer with keepalived to provide a high availability and basic loadbalancing. The backend pool behind HAProxy is a pair of Nginx servers acting as reverse proxies. The Nginx servers also act as a pseudo load balancer of sorts and balance traffic between a pair of Caddy application servers.

The below graphic should give a better illustration to how the traffic flow works when accessing this website.

Traffic flows from the user workstation and initially traverses Cloudflare's Content Delivery Network. From here, Cloudflare directs all https traffic to my external firewall where I NAT traffic to my HAProxy VIP. Below you can see the NAT rule I'm using to direct the https traffic sourcing from an Alias I have created to my HAProxy VIP.

Assuming my primary HAProxy server is healthy, the traffic will pass through HAProxy where I'm offloading the SSL traffic and loadbalancing the traffic to a pair of Nginx reverse proxies. Depending on the URL/URI the user is requesting, the proxies will direct traffic over various ports to my backend webservers. The packet at this point will traverse my internal facing firewall and Caddy serves the webpage requested by the user.


i = 0;

while (!deck.isInOrder()) {
  print 'Iteration ' + i;

print 'It took ' + i + ' iterations to sort the deck.';