Solved

haproxy Reverse proxy with ssl

Posted on 2014-10-21
18
1,132 Views
Last Modified: 2016-02-11
For years i have been using haproxy on FreeBSD to do some reverse proxying.  Up to this point i have never had to use SSL for two sites.  Things changed and i now need them to be https.

I have gotten a working ssl certificate, but I am unable to to get haproxy to work with the sites.

here is the config i have been using:

global
    daemon
    maxconn 4096

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend http-in
    bind *:80
    acl is_site1 hdr_end(host) -i server1.domain.com
    acl is_site2 hdr_end(host) -i server2.domain.com

    use_backend site1 if is_site1
    use_backend site2 if is_site2

backend site1
    balance roundrobin
    option httpclose
    option forwardfor
    server s2 192.168.0.252:80 maxconn 32

backend site2
    balance roundrobin
    option httpclose
    option forwardfor
    server s1 192.168.0.246:80 maxconn 32

Any help would be appreciated.
0
Comment
Question by:luddiemey
  • 11
  • 5
  • 2
18 Comments
 
LVL 4

Expert Comment

by:popesy
Comment Utility
Hi

Never used this haproxy, but ssl will transport over https and port 443.

Perhaps you want to configure your settings to reflect that.

HTH.

Cheers, JP.
0
 

Author Comment

by:luddiemey
Comment Utility
Hi

Thanks for your reply, I have tried just changing those two settings, but unfortunately it didn't work.

The browsers the popup with a SSL error.
0
 
LVL 4

Expert Comment

by:popesy
Comment Utility
Hi

Oh, OK.  

What is the error you get when using the browser?

Can I assume that the 'http-in' changes to 'https-in' and binds to 443.  I guess somewhere you'll have to mention the ssl cert in the config.

I've configured IBM WebSEAL reverse proxy and that was over ssl. It was a couple of years ago now.  Can you verify that your haproxy process is listening on 443?

Cheers, JP.
0
 

Author Comment

by:luddiemey
Comment Utility
I did change http-in to https-in and it does bind to port 443.

When using the following config:

frontend https-in
    bind *:443
    acl is_site1 hdr_end(host) -i server1.domain.com
    acl is_site2 hdr_end(host) -i server2.domain.com

    use_backend site1 if is_site1
    use_backend site2 if is_site2

When you then try to access https://server1.domain.com my browser pops out the following error:

Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Can you show your domain name?
SSL PROTOCOL ERROR means you use SSLv3 which is broken or very short DH parameter, or very short key.
0
 

Author Comment

by:luddiemey
Comment Utility
I am trying to apply this to two different sites

hpps.co.za

and

soft-solutions.co.za

getting the same error at both sites
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
They are still on other server I assume.
Since sites are different and will have different SSL keys I suggest you do with apache-worker or apache-event reverse proxy. HAProxy does not do SNI.
0
 

Author Comment

by:luddiemey
Comment Utility
To keep going currently i have used TMG as a stop gab, but i really dont want it use TMG.  

I have tried to follow this:  http://blog.haproxy.com/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/

Have you perhaps have a brief howto on how to get this accomplished in with apache on FreeBSD?  I have done reverse proxy with apache in the past, but once again i am completely ignorant as to how to accomplish this with SSL.

thank you
0
 
LVL 4

Expert Comment

by:popesy
Comment Utility
Hi

Sorry, are you saying that you are now not using haproxy?

This reference http://blog.haproxy.com/2014/10/15/haproxy-and-sslv3-poodle-vulnerability/ describes how to deny sslv3 for your configuration, like;

In SSL offloading mode

In this mode, HAProxy is the SSL endpoint of the connection.
It’s a simple keyword on the frontend bind directive:

1      bind 10.0.0.1:443 ssl crt /path/to/cert.pem no-sslv3

In SSL forward mode

In this mode, HAProxy forwards the SSL traffic to the server without deciphering it.
We must setup an ACL to match the SSL protocol version, then we can refuse the connection. This must be added in a **frontend** section:

1      bind 10.0.0.1:443
2      tcp-request inspect-delay 2s
3      acl sslv3 req.ssl_ver 3
4      tcp-request content reject if sslv3


If I'm barking up the wrong tree, just throw me a stick!

Cheers, JP.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:luddiemey
Comment Utility
I am confused, I think maybe haproxy is not the way to go for me here.  I am going to give this a go
https://help.knthost.com/nginx/nginx-reverse-proxy-setup-freebsd
0
 
LVL 4

Expert Comment

by:popesy
Comment Utility
Hi

I guess the key objective for you is the SSL. That being so, you'll need to define your SSL detail in either config; it seems that this is your sticking point...

Just to cover all bases; do you have a valid signed or self-signed certificate?  When you connect over https a browser expects to see one presented.

Good luck hey!

Cheers, JP.
0
 

Author Comment

by:luddiemey
Comment Utility
Yes i have calid certificates purchased from Comodo.  Will test some more stuff and give feedback later today.

thanks
0
 

Author Comment

by:luddiemey
Comment Utility
after many failures trying to use nginx, i have switch to pound.  can have some success there.
0
 
LVL 4

Expert Comment

by:popesy
Comment Utility
Hi

Sounds like you have been successful. Well done!

Cheers, JP.
0
 

Author Comment

by:luddiemey
Comment Utility
well not yet.... at least i am no longer getting any SSL issues.  But the redirection to exchange (which is one of the sites i need to redirect to) get IIS related access denied issues.  Will paste the config when i am done
0
 

Assisted Solution

by:luddiemey
luddiemey earned 0 total points
Comment Utility
Ok here is the working part.  This is to get HTTPS access to my exchange.

#Pound Conifguration
#IgnoreCase, xHTTP and TimeOuts are mandatory settings specific to OWA/ActiveSync

#TimeOut must me 3600 or greater to support ActiveSync
TimeOut         3600
LogLevel        5

## Backend check every X secs:
Alive 30
Grace 3600

IgnoreCase      1

## List, and redirect ... to:

ListenHttps
        Address <ip address of listening server>
        Port 443

        Client 120

        PUT and DELETE allow ## so (by default only GET, POST and HEAD) ?:
        xHTTP 4

        Cert "/usr/local/etc/cert.pem"
        CAlist "/etc/ssl/cert.cer"

        HeadRemove "X-Forwarded-Proto"
        AddHeader "X-Forwarded-Proto: https"
        Service "exchange"
                IgnoreCase 1
                URL "^/owa.*|^/Microsoft-Server-ActiveSync.*|^/rpc.*|^/exchange.*|^/exchweb.*|^/public.*|^OAB.*|^/Autodiscover.*"



                   BackEnd
                        Address <FQDN of internal exchnage>
                        Port 443
                        HTTPS
                        TimeOut 180
                End

                Session
                        Type IP
                        TTL 1800
                End
        End

       
End


I now have to work on the second part, where the same listener need to redirect to a different internet machine.
0
 

Accepted Solution

by:
luddiemey earned 0 total points
Comment Utility
To get the second part to work, i installed and configured ezjail to run a separate instance of pound.

Everything is now the way i need it to be and working
0
 

Author Closing Comment

by:luddiemey
Comment Utility
Manage to create a working solution from lots of RTFM
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now