Link to home
Start Free TrialLog in
Avatar of luddiemey
luddiemey

asked on

haproxy Reverse proxy with ssl

For years i have been using haproxy on FreeBSD to do some reverse proxying.  Up to this point i have never had to use SSL for two sites.  Things changed and i now need them to be https.

I have gotten a working ssl certificate, but I am unable to to get haproxy to work with the sites.

here is the config i have been using:

global
    daemon
    maxconn 4096

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend http-in
    bind *:80
    acl is_site1 hdr_end(host) -i server1.domain.com
    acl is_site2 hdr_end(host) -i server2.domain.com

    use_backend site1 if is_site1
    use_backend site2 if is_site2

backend site1
    balance roundrobin
    option httpclose
    option forwardfor
    server s2 192.168.0.252:80 maxconn 32

backend site2
    balance roundrobin
    option httpclose
    option forwardfor
    server s1 192.168.0.246:80 maxconn 32

Any help would be appreciated.
Avatar of John Pope
John Pope
Flag of United Kingdom of Great Britain and Northern Ireland image

Hi

Never used this haproxy, but ssl will transport over https and port 443.

Perhaps you want to configure your settings to reflect that.

HTH.

Cheers, JP.
Avatar of luddiemey
luddiemey

ASKER

Hi

Thanks for your reply, I have tried just changing those two settings, but unfortunately it didn't work.

The browsers the popup with a SSL error.
Hi

Oh, OK.  

What is the error you get when using the browser?

Can I assume that the 'http-in' changes to 'https-in' and binds to 443.  I guess somewhere you'll have to mention the ssl cert in the config.

I've configured IBM WebSEAL reverse proxy and that was over ssl. It was a couple of years ago now.  Can you verify that your haproxy process is listening on 443?

Cheers, JP.
I did change http-in to https-in and it does bind to port 443.

When using the following config:

frontend https-in
    bind *:443
    acl is_site1 hdr_end(host) -i server1.domain.com
    acl is_site2 hdr_end(host) -i server2.domain.com

    use_backend site1 if is_site1
    use_backend site2 if is_site2

When you then try to access https://server1.domain.com my browser pops out the following error:

Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR
Can you show your domain name?
SSL PROTOCOL ERROR means you use SSLv3 which is broken or very short DH parameter, or very short key.
I am trying to apply this to two different sites

hpps.co.za

and

soft-solutions.co.za

getting the same error at both sites
They are still on other server I assume.
Since sites are different and will have different SSL keys I suggest you do with apache-worker or apache-event reverse proxy. HAProxy does not do SNI.
To keep going currently i have used TMG as a stop gab, but i really dont want it use TMG.  

I have tried to follow this:  http://blog.haproxy.com/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/

Have you perhaps have a brief howto on how to get this accomplished in with apache on FreeBSD?  I have done reverse proxy with apache in the past, but once again i am completely ignorant as to how to accomplish this with SSL.

thank you
Hi

Sorry, are you saying that you are now not using haproxy?

This reference http://blog.haproxy.com/2014/10/15/haproxy-and-sslv3-poodle-vulnerability/ describes how to deny sslv3 for your configuration, like;

In SSL offloading mode

In this mode, HAProxy is the SSL endpoint of the connection.
It’s a simple keyword on the frontend bind directive:

1      bind 10.0.0.1:443 ssl crt /path/to/cert.pem no-sslv3

In SSL forward mode

In this mode, HAProxy forwards the SSL traffic to the server without deciphering it.
We must setup an ACL to match the SSL protocol version, then we can refuse the connection. This must be added in a **frontend** section:

1      bind 10.0.0.1:443
2      tcp-request inspect-delay 2s
3      acl sslv3 req.ssl_ver 3
4      tcp-request content reject if sslv3


If I'm barking up the wrong tree, just throw me a stick!

Cheers, JP.
I am confused, I think maybe haproxy is not the way to go for me here.  I am going to give this a go
https://help.knthost.com/nginx/nginx-reverse-proxy-setup-freebsd
Hi

I guess the key objective for you is the SSL. That being so, you'll need to define your SSL detail in either config; it seems that this is your sticking point...

Just to cover all bases; do you have a valid signed or self-signed certificate?  When you connect over https a browser expects to see one presented.

Good luck hey!

Cheers, JP.
Yes i have calid certificates purchased from Comodo.  Will test some more stuff and give feedback later today.

thanks
after many failures trying to use nginx, i have switch to pound.  can have some success there.
Hi

Sounds like you have been successful. Well done!

Cheers, JP.
well not yet.... at least i am no longer getting any SSL issues.  But the redirection to exchange (which is one of the sites i need to redirect to) get IIS related access denied issues.  Will paste the config when i am done
SOLUTION
Avatar of luddiemey
luddiemey

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Manage to create a working solution from lots of RTFM