Solved

haproxy Reverse proxy with ssl

Posted on 2014-10-21
18
1,184 Views
Last Modified: 2016-02-11
For years i have been using haproxy on FreeBSD to do some reverse proxying.  Up to this point i have never had to use SSL for two sites.  Things changed and i now need them to be https.

I have gotten a working ssl certificate, but I am unable to to get haproxy to work with the sites.

here is the config i have been using:

global
    daemon
    maxconn 4096

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend http-in
    bind *:80
    acl is_site1 hdr_end(host) -i server1.domain.com
    acl is_site2 hdr_end(host) -i server2.domain.com

    use_backend site1 if is_site1
    use_backend site2 if is_site2

backend site1
    balance roundrobin
    option httpclose
    option forwardfor
    server s2 192.168.0.252:80 maxconn 32

backend site2
    balance roundrobin
    option httpclose
    option forwardfor
    server s1 192.168.0.246:80 maxconn 32

Any help would be appreciated.
0
Comment
Question by:luddiemey
  • 11
  • 5
  • 2
18 Comments
 
LVL 4

Expert Comment

by:popesy
ID: 40394429
Hi

Never used this haproxy, but ssl will transport over https and port 443.

Perhaps you want to configure your settings to reflect that.

HTH.

Cheers, JP.
0
 

Author Comment

by:luddiemey
ID: 40394435
Hi

Thanks for your reply, I have tried just changing those two settings, but unfortunately it didn't work.

The browsers the popup with a SSL error.
0
 
LVL 4

Expert Comment

by:popesy
ID: 40394483
Hi

Oh, OK.  

What is the error you get when using the browser?

Can I assume that the 'http-in' changes to 'https-in' and binds to 443.  I guess somewhere you'll have to mention the ssl cert in the config.

I've configured IBM WebSEAL reverse proxy and that was over ssl. It was a couple of years ago now.  Can you verify that your haproxy process is listening on 443?

Cheers, JP.
0
 

Author Comment

by:luddiemey
ID: 40395407
I did change http-in to https-in and it does bind to port 443.

When using the following config:

frontend https-in
    bind *:443
    acl is_site1 hdr_end(host) -i server1.domain.com
    acl is_site2 hdr_end(host) -i server2.domain.com

    use_backend site1 if is_site1
    use_backend site2 if is_site2

When you then try to access https://server1.domain.com my browser pops out the following error:

Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR
0
 
LVL 61

Expert Comment

by:gheist
ID: 40395905
Can you show your domain name?
SSL PROTOCOL ERROR means you use SSLv3 which is broken or very short DH parameter, or very short key.
0
 

Author Comment

by:luddiemey
ID: 40396214
I am trying to apply this to two different sites

hpps.co.za

and

soft-solutions.co.za

getting the same error at both sites
0
 
LVL 61

Expert Comment

by:gheist
ID: 40396234
They are still on other server I assume.
Since sites are different and will have different SSL keys I suggest you do with apache-worker or apache-event reverse proxy. HAProxy does not do SNI.
0
 

Author Comment

by:luddiemey
ID: 40396249
To keep going currently i have used TMG as a stop gab, but i really dont want it use TMG.  

I have tried to follow this:  http://blog.haproxy.com/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/

Have you perhaps have a brief howto on how to get this accomplished in with apache on FreeBSD?  I have done reverse proxy with apache in the past, but once again i am completely ignorant as to how to accomplish this with SSL.

thank you
0
 
LVL 4

Expert Comment

by:popesy
ID: 40396291
Hi

Sorry, are you saying that you are now not using haproxy?

This reference http://blog.haproxy.com/2014/10/15/haproxy-and-sslv3-poodle-vulnerability/ describes how to deny sslv3 for your configuration, like;

In SSL offloading mode

In this mode, HAProxy is the SSL endpoint of the connection.
It’s a simple keyword on the frontend bind directive:

1      bind 10.0.0.1:443 ssl crt /path/to/cert.pem no-sslv3

In SSL forward mode

In this mode, HAProxy forwards the SSL traffic to the server without deciphering it.
We must setup an ACL to match the SSL protocol version, then we can refuse the connection. This must be added in a **frontend** section:

1      bind 10.0.0.1:443
2      tcp-request inspect-delay 2s
3      acl sslv3 req.ssl_ver 3
4      tcp-request content reject if sslv3


If I'm barking up the wrong tree, just throw me a stick!

Cheers, JP.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:luddiemey
ID: 40396306
I am confused, I think maybe haproxy is not the way to go for me here.  I am going to give this a go
https://help.knthost.com/nginx/nginx-reverse-proxy-setup-freebsd
0
 
LVL 4

Expert Comment

by:popesy
ID: 40396323
Hi

I guess the key objective for you is the SSL. That being so, you'll need to define your SSL detail in either config; it seems that this is your sticking point...

Just to cover all bases; do you have a valid signed or self-signed certificate?  When you connect over https a browser expects to see one presented.

Good luck hey!

Cheers, JP.
0
 

Author Comment

by:luddiemey
ID: 40396357
Yes i have calid certificates purchased from Comodo.  Will test some more stuff and give feedback later today.

thanks
0
 

Author Comment

by:luddiemey
ID: 40403599
after many failures trying to use nginx, i have switch to pound.  can have some success there.
0
 
LVL 4

Expert Comment

by:popesy
ID: 40403612
Hi

Sounds like you have been successful. Well done!

Cheers, JP.
0
 

Author Comment

by:luddiemey
ID: 40403620
well not yet.... at least i am no longer getting any SSL issues.  But the redirection to exchange (which is one of the sites i need to redirect to) get IIS related access denied issues.  Will paste the config when i am done
0
 

Assisted Solution

by:luddiemey
luddiemey earned 0 total points
ID: 40403655
Ok here is the working part.  This is to get HTTPS access to my exchange.

#Pound Conifguration
#IgnoreCase, xHTTP and TimeOuts are mandatory settings specific to OWA/ActiveSync

#TimeOut must me 3600 or greater to support ActiveSync
TimeOut         3600
LogLevel        5

## Backend check every X secs:
Alive 30
Grace 3600

IgnoreCase      1

## List, and redirect ... to:

ListenHttps
        Address <ip address of listening server>
        Port 443

        Client 120

        PUT and DELETE allow ## so (by default only GET, POST and HEAD) ?:
        xHTTP 4

        Cert "/usr/local/etc/cert.pem"
        CAlist "/etc/ssl/cert.cer"

        HeadRemove "X-Forwarded-Proto"
        AddHeader "X-Forwarded-Proto: https"
        Service "exchange"
                IgnoreCase 1
                URL "^/owa.*|^/Microsoft-Server-ActiveSync.*|^/rpc.*|^/exchange.*|^/exchweb.*|^/public.*|^OAB.*|^/Autodiscover.*"



                   BackEnd
                        Address <FQDN of internal exchnage>
                        Port 443
                        HTTPS
                        TimeOut 180
                End

                Session
                        Type IP
                        TTL 1800
                End
        End

       
End


I now have to work on the second part, where the same listener need to redirect to a different internet machine.
0
 

Accepted Solution

by:
luddiemey earned 0 total points
ID: 40404506
To get the second part to work, i installed and configured ezjail to run a separate instance of pound.

Everything is now the way i need it to be and working
0
 

Author Closing Comment

by:luddiemey
ID: 40412788
Manage to create a working solution from lots of RTFM
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now