Unrestricted access to Haproxy Data Plane API
Description
The HAProxy Data Plane API provides programmatic access to configuration management and runtime statistics. This vulnerability exists when the API is accessible without authentication or is protected only by default, weak, or commonly-known credentials. Unauthenticated or weakly authenticated access to this API allows unauthorized users to view sensitive configuration data and modify HAProxy settings remotely.
Remediation
Implement strong authentication for the HAProxy Data Plane API by following these steps:
1. Configure authentication in the Data Plane API configuration file (typically dataplaneapi.yml or dataplaneapi.hcl):
userlist api-users user admin password $6$rounds=50000$saltvalue$hashedpassword program api command /usr/bin/dataplaneapi --userlist api-users
2. Generate strong password hashes using HAProxy's password hashing utility or bcrypt
3. Restrict network access to the API using firewall rules or HAProxy ACLs to allow only trusted IP addresses
4. Enable TLS/SSL for API communications to prevent credential interception
5. Implement API key-based authentication or integrate with enterprise authentication systems (LDAP, OAuth) for production environments
6. Regularly rotate API credentials and audit access logs for unauthorized attempts