I would like to control my HAproxy remotely during deploy of applications. E.g. before stopping apps on "app-server1" I want to instruct the HA-proxy to disable the backend server "app-server1". When the application is running again, I want to issue the enable command.
With "stats socket …" I create either a UNIX socket or a TCP socket. For remote access it has to be a TCP socket.
However, this obviously opens up a vulnerability that I want to mitigate.
Can I restrict the access to the admin socket, e.g. by client IP list, SSL or other?
Due to the limited amount of information I find on this topic when searching, I wonder if there is another, recommended way of remote operation for my use case?
I do use scripting for this, but allowing SSH access for the scripts to the server where HA-proxy is running, is not an option.
Best Answer
Define a backend server pointing to the stats socket on localhost. Then set the stats socket to bind on 127.0.0.1 only. Finally, add needed ACLs to the frontend definition.
The stats socket is now restricted to accept connections only from localhost, while your frontend proxy takes care of remote clients.