HAProxy in front of KWTS [Kaspersky Web Traffic Security]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

To use HAProxy as a load balancer in front of KWTS (iso installation and built-in proxy used) we recommend the following:

1. HAProxy configuration:

   global     log         127.0.0.1 local2     chroot      /var/lib/haproxy     pidfile     /var/run/haproxy.pid     maxconn     4000     user        haproxy     group       haproxy     daemon     stats socket /var/lib/haproxy/stats   defaults     mode                tcp     log                 global     retries             3     timeout queue       1m     timeout connect     10s     timeout client      1m     timeout server      1m     timeout check       10s     maxconn             30000   frontend kwts_proxy     bind *:3128     mode tcp     default_backend kwts_proxy_pool   backend kwts_proxy_pool     balance leastconn     mode tcp     server kwts_node1 10.10.1.42:3128 check send-proxy     server kwts_node2 10.10.1.43:3128 check send-proxy

   where 10.10.1.42 and 10.10.1.43 are KWTS IP addresses;
   3128 is the port where KWTS built-in proxy is listening (Settings → Built-in proxy server → Common → Port);
   8080 is the port of the load balancer.

2. Configure KWTS to use PROXY protocol header (Settings → Built-in proxy server → Common → Load balancing → Mode);
3. Make sure HAProxy IP address is in trusted list on KWTS (Settings → Built-in proxy server → Common → Load balancing → Trusted load balancers);
4. If Kerberos proxy authentication is used, make sure keytab contains SPN record of FQDN address of the load balancer;
5. Make sure that browser is configured to use FQDN and port of load balancer.