• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2044
  • Last Modified:

haproxy Reverse proxy with ssl

For years i have been using haproxy on FreeBSD to do some reverse proxying.  Up to this point i have never had to use SSL for two sites.  Things changed and i now need them to be https.

I have gotten a working ssl certificate, but I am unable to to get haproxy to work with the sites.

here is the config i have been using:

global
    daemon
    maxconn 4096

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend http-in
    bind *:80
    acl is_site1 hdr_end(host) -i server1.domain.com
    acl is_site2 hdr_end(host) -i server2.domain.com

    use_backend site1 if is_site1
    use_backend site2 if is_site2

backend site1
    balance roundrobin
    option httpclose
    option forwardfor
    server s2 192.168.0.252:80 maxconn 32

backend site2
    balance roundrobin
    option httpclose
    option forwardfor
    server s1 192.168.0.246:80 maxconn 32

Any help would be appreciated.
0
luddiemey
Asked:
luddiemey
  • 11
  • 5
  • 2
2 Solutions
 
John PopeIT ConsultantCommented:
Hi

Never used this haproxy, but ssl will transport over https and port 443.

Perhaps you want to configure your settings to reflect that.

HTH.

Cheers, JP.
0
 
luddiemeyAuthor Commented:
Hi

Thanks for your reply, I have tried just changing those two settings, but unfortunately it didn't work.

The browsers the popup with a SSL error.
0
 
John PopeIT ConsultantCommented:
Hi

Oh, OK.  

What is the error you get when using the browser?

Can I assume that the 'http-in' changes to 'https-in' and binds to 443.  I guess somewhere you'll have to mention the ssl cert in the config.

I've configured IBM WebSEAL reverse proxy and that was over ssl. It was a couple of years ago now.  Can you verify that your haproxy process is listening on 443?

Cheers, JP.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
luddiemeyAuthor Commented:
I did change http-in to https-in and it does bind to port 443.

When using the following config:

frontend https-in
    bind *:443
    acl is_site1 hdr_end(host) -i server1.domain.com
    acl is_site2 hdr_end(host) -i server2.domain.com

    use_backend site1 if is_site1
    use_backend site2 if is_site2

When you then try to access https://server1.domain.com my browser pops out the following error:

Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR
0
 
gheistCommented:
Can you show your domain name?
SSL PROTOCOL ERROR means you use SSLv3 which is broken or very short DH parameter, or very short key.
0
 
luddiemeyAuthor Commented:
I am trying to apply this to two different sites

hpps.co.za

and

soft-solutions.co.za

getting the same error at both sites
0
 
gheistCommented:
They are still on other server I assume.
Since sites are different and will have different SSL keys I suggest you do with apache-worker or apache-event reverse proxy. HAProxy does not do SNI.
0
 
luddiemeyAuthor Commented:
To keep going currently i have used TMG as a stop gab, but i really dont want it use TMG.  

I have tried to follow this:  http://blog.haproxy.com/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/

Have you perhaps have a brief howto on how to get this accomplished in with apache on FreeBSD?  I have done reverse proxy with apache in the past, but once again i am completely ignorant as to how to accomplish this with SSL.

thank you
0
 
John PopeIT ConsultantCommented:
Hi

Sorry, are you saying that you are now not using haproxy?

This reference http://blog.haproxy.com/2014/10/15/haproxy-and-sslv3-poodle-vulnerability/ describes how to deny sslv3 for your configuration, like;

In SSL offloading mode

In this mode, HAProxy is the SSL endpoint of the connection.
It’s a simple keyword on the frontend bind directive:

1      bind 10.0.0.1:443 ssl crt /path/to/cert.pem no-sslv3

In SSL forward mode

In this mode, HAProxy forwards the SSL traffic to the server without deciphering it.
We must setup an ACL to match the SSL protocol version, then we can refuse the connection. This must be added in a **frontend** section:

1      bind 10.0.0.1:443
2      tcp-request inspect-delay 2s
3      acl sslv3 req.ssl_ver 3
4      tcp-request content reject if sslv3


If I'm barking up the wrong tree, just throw me a stick!

Cheers, JP.
0
 
luddiemeyAuthor Commented:
I am confused, I think maybe haproxy is not the way to go for me here.  I am going to give this a go
https://help.knthost.com/nginx/nginx-reverse-proxy-setup-freebsd
0
 
John PopeIT ConsultantCommented:
Hi

I guess the key objective for you is the SSL. That being so, you'll need to define your SSL detail in either config; it seems that this is your sticking point...

Just to cover all bases; do you have a valid signed or self-signed certificate?  When you connect over https a browser expects to see one presented.

Good luck hey!

Cheers, JP.
0
 
luddiemeyAuthor Commented:
Yes i have calid certificates purchased from Comodo.  Will test some more stuff and give feedback later today.

thanks
0
 
luddiemeyAuthor Commented:
after many failures trying to use nginx, i have switch to pound.  can have some success there.
0
 
John PopeIT ConsultantCommented:
Hi

Sounds like you have been successful. Well done!

Cheers, JP.
0
 
luddiemeyAuthor Commented:
well not yet.... at least i am no longer getting any SSL issues.  But the redirection to exchange (which is one of the sites i need to redirect to) get IIS related access denied issues.  Will paste the config when i am done
0
 
luddiemeyAuthor Commented:
Ok here is the working part.  This is to get HTTPS access to my exchange.

#Pound Conifguration
#IgnoreCase, xHTTP and TimeOuts are mandatory settings specific to OWA/ActiveSync

#TimeOut must me 3600 or greater to support ActiveSync
TimeOut         3600
LogLevel        5

## Backend check every X secs:
Alive 30
Grace 3600

IgnoreCase      1

## List, and redirect ... to:

ListenHttps
        Address <ip address of listening server>
        Port 443

        Client 120

        PUT and DELETE allow ## so (by default only GET, POST and HEAD) ?:
        xHTTP 4

        Cert "/usr/local/etc/cert.pem"
        CAlist "/etc/ssl/cert.cer"

        HeadRemove "X-Forwarded-Proto"
        AddHeader "X-Forwarded-Proto: https"
        Service "exchange"
                IgnoreCase 1
                URL "^/owa.*|^/Microsoft-Server-ActiveSync.*|^/rpc.*|^/exchange.*|^/exchweb.*|^/public.*|^OAB.*|^/Autodiscover.*"



                   BackEnd
                        Address <FQDN of internal exchnage>
                        Port 443
                        HTTPS
                        TimeOut 180
                End

                Session
                        Type IP
                        TTL 1800
                End
        End

       
End


I now have to work on the second part, where the same listener need to redirect to a different internet machine.
0
 
luddiemeyAuthor Commented:
To get the second part to work, i installed and configured ezjail to run a separate instance of pound.

Everything is now the way i need it to be and working
0
 
luddiemeyAuthor Commented:
Manage to create a working solution from lots of RTFM
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 11
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now