luddiemey
asked on
haproxy Reverse proxy with ssl
For years i have been using haproxy on FreeBSD to do some reverse proxying. Up to this point i have never had to use SSL for two sites. Things changed and i now need them to be https.
I have gotten a working ssl certificate, but I am unable to to get haproxy to work with the sites.
here is the config i have been using:
global
daemon
maxconn 4096
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
bind *:80
acl is_site1 hdr_end(host) -i server1.domain.com
acl is_site2 hdr_end(host) -i server2.domain.com
use_backend site1 if is_site1
use_backend site2 if is_site2
backend site1
balance roundrobin
option httpclose
option forwardfor
server s2 192.168.0.252:80 maxconn 32
backend site2
balance roundrobin
option httpclose
option forwardfor
server s1 192.168.0.246:80 maxconn 32
Any help would be appreciated.
I have gotten a working ssl certificate, but I am unable to to get haproxy to work with the sites.
here is the config i have been using:
global
daemon
maxconn 4096
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
bind *:80
acl is_site1 hdr_end(host) -i server1.domain.com
acl is_site2 hdr_end(host) -i server2.domain.com
use_backend site1 if is_site1
use_backend site2 if is_site2
backend site1
balance roundrobin
option httpclose
option forwardfor
server s2 192.168.0.252:80 maxconn 32
backend site2
balance roundrobin
option httpclose
option forwardfor
server s1 192.168.0.246:80 maxconn 32
Any help would be appreciated.
ASKER
Hi
Thanks for your reply, I have tried just changing those two settings, but unfortunately it didn't work.
The browsers the popup with a SSL error.
Thanks for your reply, I have tried just changing those two settings, but unfortunately it didn't work.
The browsers the popup with a SSL error.
Hi
Oh, OK.
What is the error you get when using the browser?
Can I assume that the 'http-in' changes to 'https-in' and binds to 443. I guess somewhere you'll have to mention the ssl cert in the config.
I've configured IBM WebSEAL reverse proxy and that was over ssl. It was a couple of years ago now. Can you verify that your haproxy process is listening on 443?
Cheers, JP.
Oh, OK.
What is the error you get when using the browser?
Can I assume that the 'http-in' changes to 'https-in' and binds to 443. I guess somewhere you'll have to mention the ssl cert in the config.
I've configured IBM WebSEAL reverse proxy and that was over ssl. It was a couple of years ago now. Can you verify that your haproxy process is listening on 443?
Cheers, JP.
ASKER
I did change http-in to https-in and it does bind to port 443.
When using the following config:
frontend https-in
bind *:443
acl is_site1 hdr_end(host) -i server1.domain.com
acl is_site2 hdr_end(host) -i server2.domain.com
use_backend site1 if is_site1
use_backend site2 if is_site2
When you then try to access https://server1.domain.com my browser pops out the following error:
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR
When using the following config:
frontend https-in
bind *:443
acl is_site1 hdr_end(host) -i server1.domain.com
acl is_site2 hdr_end(host) -i server2.domain.com
use_backend site1 if is_site1
use_backend site2 if is_site2
When you then try to access https://server1.domain.com my browser pops out the following error:
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR
Can you show your domain name?
SSL PROTOCOL ERROR means you use SSLv3 which is broken or very short DH parameter, or very short key.
SSL PROTOCOL ERROR means you use SSLv3 which is broken or very short DH parameter, or very short key.
ASKER
I am trying to apply this to two different sites
hpps.co.za
and
soft-solutions.co.za
getting the same error at both sites
hpps.co.za
and
soft-solutions.co.za
getting the same error at both sites
They are still on other server I assume.
Since sites are different and will have different SSL keys I suggest you do with apache-worker or apache-event reverse proxy. HAProxy does not do SNI.
Since sites are different and will have different SSL keys I suggest you do with apache-worker or apache-event reverse proxy. HAProxy does not do SNI.
ASKER
To keep going currently i have used TMG as a stop gab, but i really dont want it use TMG.
I have tried to follow this: http://blog.haproxy.com/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
Have you perhaps have a brief howto on how to get this accomplished in with apache on FreeBSD? I have done reverse proxy with apache in the past, but once again i am completely ignorant as to how to accomplish this with SSL.
thank you
I have tried to follow this: http://blog.haproxy.com/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
Have you perhaps have a brief howto on how to get this accomplished in with apache on FreeBSD? I have done reverse proxy with apache in the past, but once again i am completely ignorant as to how to accomplish this with SSL.
thank you
Hi
Sorry, are you saying that you are now not using haproxy?
This reference http://blog.haproxy.com/20 14/10/15/h aproxy-and -sslv3-poo dle-vulner ability/ describes how to deny sslv3 for your configuration, like;
In SSL offloading mode
In this mode, HAProxy is the SSL endpoint of the connection.
It’s a simple keyword on the frontend bind directive:
1 bind 10.0.0.1:443 ssl crt /path/to/cert.pem no-sslv3
In SSL forward mode
In this mode, HAProxy forwards the SSL traffic to the server without deciphering it.
We must setup an ACL to match the SSL protocol version, then we can refuse the connection. This must be added in a **frontend** section:
1 bind 10.0.0.1:443
2 tcp-request inspect-delay 2s
3 acl sslv3 req.ssl_ver 3
4 tcp-request content reject if sslv3
If I'm barking up the wrong tree, just throw me a stick!
Cheers, JP.
Sorry, are you saying that you are now not using haproxy?
This reference http://blog.haproxy.com/20
In SSL offloading mode
In this mode, HAProxy is the SSL endpoint of the connection.
It’s a simple keyword on the frontend bind directive:
1 bind 10.0.0.1:443 ssl crt /path/to/cert.pem no-sslv3
In SSL forward mode
In this mode, HAProxy forwards the SSL traffic to the server without deciphering it.
We must setup an ACL to match the SSL protocol version, then we can refuse the connection. This must be added in a **frontend** section:
1 bind 10.0.0.1:443
2 tcp-request inspect-delay 2s
3 acl sslv3 req.ssl_ver 3
4 tcp-request content reject if sslv3
If I'm barking up the wrong tree, just throw me a stick!
Cheers, JP.
ASKER
I am confused, I think maybe haproxy is not the way to go for me here. I am going to give this a go
https://help.knthost.com/nginx/nginx-reverse-proxy-setup-freebsd
https://help.knthost.com/nginx/nginx-reverse-proxy-setup-freebsd
Hi
I guess the key objective for you is the SSL. That being so, you'll need to define your SSL detail in either config; it seems that this is your sticking point...
Just to cover all bases; do you have a valid signed or self-signed certificate? When you connect over https a browser expects to see one presented.
Good luck hey!
Cheers, JP.
I guess the key objective for you is the SSL. That being so, you'll need to define your SSL detail in either config; it seems that this is your sticking point...
Just to cover all bases; do you have a valid signed or self-signed certificate? When you connect over https a browser expects to see one presented.
Good luck hey!
Cheers, JP.
ASKER
Yes i have calid certificates purchased from Comodo. Will test some more stuff and give feedback later today.
thanks
thanks
ASKER
after many failures trying to use nginx, i have switch to pound. can have some success there.
Hi
Sounds like you have been successful. Well done!
Cheers, JP.
Sounds like you have been successful. Well done!
Cheers, JP.
ASKER
well not yet.... at least i am no longer getting any SSL issues. But the redirection to exchange (which is one of the sites i need to redirect to) get IIS related access denied issues. Will paste the config when i am done
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Manage to create a working solution from lots of RTFM
Never used this haproxy, but ssl will transport over https and port 443.
Perhaps you want to configure your settings to reflect that.
HTH.
Cheers, JP.