Running Kace SMA (K1000) version 11.0.273. Wanted to run it behind a reverse proxy so it wasn’t directly exposed to the internet. Generally speaking, you really don’t want things like webservers directly exposed to the internet for obvious reasons, but KACE has been really adamant about security and running it in a DMZ and it hasn’t had any known intrusions to date.<\/p>\n\n\n\n
In any case, I decided to move it out of the DMZ and run HAProxy in its place. I have my outside-of-this-documents-scope reasons. However, KACE SMA 10.x didn’t play nicely with reverse proxies even with legit SSL’s installed (you can read about konea certificates vs web ones on the kace support pages).<\/p>\n\n\n\n
Upgraded to version 11 and from there it splits into two – konea certificates are unpublished but necessary, and then our web certificates for all other traffic. And yes, all traffic does terminate to port 443, but the konea side changes to a new port.<\/p>\n\n\n\n
global\n log \/dev\/log local0\n log \/dev\/log local1 notice\n chroot \/var\/lib\/haproxy\n stats socket \/run\/haproxy\/admin.sock mode 660 level admin expose-fd listeners\n stats timeout 30s\n user haproxy\n group haproxy\n daemon\n lua-load \/etc\/haproxy\/acme-http01-webroot.lua\n\n # Default SSL material locations\n ca-base \/etc\/ssl\/certs\n crt-base \/etc\/ssl\/private\n\n # See: https:\/\/ssl-config.mozilla.org\/#server=haproxy&server-version=2.0.3&config=intermediate\n ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE>\n ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256\n ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets\n\ndefaults\n log global\n mode tcp\n option tcplog\n option dontlognull\n timeout connect 5000\n timeout client 50000\n timeout server 50000\n errorfile 400 \/etc\/haproxy\/errors\/400.http\n errorfile 403 \/etc\/haproxy\/errors\/403.http\n errorfile 408 \/etc\/haproxy\/errors\/408.http\n errorfile 500 \/etc\/haproxy\/errors\/500.http\n errorfile 502 \/etc\/haproxy\/errors\/502.http\n errorfile 503 \/etc\/haproxy\/errors\/503.http\n errorfile 504 \/etc\/haproxy\/errors\/504.http\n\nfrontend http-in\n bind *:80\n acl url_acme_http01 path_beg \/.well-known\/acme-challenge\/\n http-request use-service lua.acme-http01 if METH_GET url_acme_http01\n\n\nfrontend sma\n# bind *:443 ssl crt \/etc\/letsencrypt\/live\/pem\/\n bind *:443\n tcp-request inspect-delay 5s\n# tcp-request content capture req.ssl_sni len 25\n tcp-request content accept if { req_ssl_hello_type 1 }\n\n\n use_backend sma_agent if { req_ssl_sni konea }\n use_backend sma_webui if { req_ssl_sni mykacesite.domain.tld }\n default_backend sma_webui\n\nbackend sma_webui\n server sma_apache 10.130.20.6:443\n\nbackend sma_agent\n server sma_koneas 10.130.20.6:52230\n\n\n<\/code><\/pre>\n\n\n\nI should point out that I also am utilizing letsencrypt for the web portion, however, by switching to tcp mode instead of http it bypasses that requirement. TCP mode is REQUIRED for the konea portion to actually function.<\/p>\n","protected":false},"excerpt":{"rendered":"
Running Kace SMA (K1000) version 11.0.273. Wanted to run it behind a reverse proxy so it wasn’t directly exposed to the internet. Generally speaking, you really don’t want things like webservers directly exposed to the internet for obvious reasons, but KACE has been really adamant about security and running it in a DMZ and it … Continue reading HAProxy and Kace SMA<\/span>