From 873a050f70861fc5e28be426d3b2995bcf3f6046 Mon Sep 17 00:00:00 2001
From: Aaron Sheffield <ajs@sheffieldfamily.net>
Date: Mon, 13 Aug 2018 13:42:57 -0500
Subject: [PATCH] HAProxy Security Guide

- Added a basic HAProxy security guide.
Guide is light due to using TCP mode.

Change-Id: Ic5d5126c6ca45112acad640826fdbbb2b0e080f4
---
 doc/source/security/guide.rst   |  1 +
 doc/source/security/haproxy.rst | 55 +++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 doc/source/security/haproxy.rst

diff --git a/doc/source/security/guide.rst b/doc/source/security/guide.rst
index 6180226b..5d1fc3d9 100644
--- a/doc/source/security/guide.rst
+++ b/doc/source/security/guide.rst
@@ -48,3 +48,4 @@ Airship Security Topics
   :maxdepth: 1
 
   template
+  haproxy
diff --git a/doc/source/security/haproxy.rst b/doc/source/security/haproxy.rst
new file mode 100644
index 00000000..dc24a627
--- /dev/null
+++ b/doc/source/security/haproxy.rst
@@ -0,0 +1,55 @@
+..
+      Copyright 2018 AT&T Intellectual Property.
+      All Rights Reserved.
+
+      Licensed under the Apache License, Version 2.0 (the "License"); you may
+      not use this file except in compliance with the License. You may obtain
+      a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+      Unless required by applicable law or agreed to in writing, software
+      distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+      WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+      License for the specific language governing permissions and limitations
+      under the License.
+
+.. _haproxy_security_guide:
+
+HAProxy Security Guide
+======================
+
+Updated: 13-AUG-2018
+
+This guide covers configurations for HAProxy.  Specifically, in ``mode tcp``.
+
+.. contents:: :depth: 2
+
+Security Item List
+------------------
+
+TCP Mode
+^^^^^^^^
+
+The instance will work in pure TCP mode. A full-duplex connection will be
+established between clients and servers, and no layer 7 examination will be
+performed. This is the default mode. It should be used for TLS.
+
+Max Connections
+^^^^^^^^^^^^^^^
+
+Set ``maxconn`` in ``global`` to a reasonable level.  HAProxy will queue
+requests beyond that value.
+
+Set Headers
+^^^^^^^^^^^
+"set-header" does the same as "add-header" except that the header name is first
+removed if it existed. This is useful when passing security information to the
+server, where the header must not be manipulated by external users. Note that
+the new value is computed before the removal so it is possible to concatenate a
+value to an existing header.
+
+References
+----------
+
+HAProxy Configuration Guide - http://cbonte.github.io/haproxy-dconv/1.8/configuration.html