HAproxy SSL offloading complicated setup
-
Hello,
I have the following haproxy setup with wildcard ssls and additional SSL certificates.
Getting one issue that I cannot understand how to solve.I have two wildcardSSL:
*.domain1.icu
*.domain2.icu
and severla additional certificates like
core.demo99.stage.domain1.icu
core.dev2.stage.domain1.icuEverything works normal BUT when I add new domain to haproxy Frontend like
core.devph.stage.domain1.icu and want it to be on wildcard SSL certificate (not separate one) then core.demo99.stage.domain1.icu is automatically applied to it.If I add test.domain1.icu it applies fine *.domain1.icu cert .
SO probably the issue is related to SNI. If I add core.devph.stage.domain1.icu to SNI filter in Primary Frontend then SSL is being applied fine BUT backend stops working with BAD REQUEST error and in logs I see SSL handshake failed .
I guess I am missing something... Pleas help. Also if you can help to understand how to generate FREE ssl via pfsense for several levels FQDN like core.devph.stage.domain1.icu it would be cool because when *.domain1.icu is applied it still reports that SSL is not trusted because of wrong Common Name and because of this in some cases I have to generate separate SSLs for it.
[2.6.0-RELEASE][root@pfSense.domain1.icu]/root: cat /var/etc/haproxy/haproxy.cfg # Automaticaly generated, dont edit manually. # Generated on: 2022-07-28 12:38 global maxconn 500 log /var/run/log local0 debug stats socket /tmp/haproxy.socket level admin expose-fd listeners uid 80 gid 80 nbproc 1 nbthread 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 log-send-hostname HaproxyMasterNode server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend https-primary-frontend-merged bind 172.28.28.28:443 name 172.28.28.28:443 ssl crt-list /var/etc/haproxy/https-primary-frontend.crt_list mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 acl gpg var(txn.txnhost) -m str -i gpg.domain1.icu acl m-test-tm var(txn.txnhost) -m str -i tm.domain1.icu acl m-test-m var(txn.txnhost) -m str -i m.domain1.icu acl m-demo-tm var(txn.txnhost) -m str -i tm-demo.domain1.icu acl m-demo-m var(txn.txnhost) -m str -i m-demo.domain1.icu acl m-dev-m var(txn.txnhost) -m str -i m-dev.domain1.icu acl m-dev-tm var(txn.txnhost) -m str -i tm-dev.domain1.icu acl m-dev-ig var(txn.txnhost) -m str -i ig.m-dev.domain1.icu acl ecs-eml var(txn.txnhost) -m str -i eml-dev.domain1.icu acl ecs-madeira-m var(txn.txnhost) -m str -i m-madeira.domain1.icu acl ecs-madeira-tm var(txn.txnhost) -m str -i tm-madeira.domain1.icu acl m-dev-ig2 var(txn.txnhost) -m str -i ig-m-dev.domain1.icu acl traduora-domain1-icu var(txn.txnhost) -m str -i traduora.domain1.icu acl core.demo99.stage.domain1.icu var(txn.txnhost) -m str -i core.demo99.stage.domain1.icu acl core.dev2.stage.domain1.icu var(txn.txnhost) -m str -i core.dev2.stage.domain1.icu acl core.devph.stage.domain1.icu var(txn.txnhost) -m str -i core.devph.stage.domain1.icu acl aclcrt_haproxy-https-domain1 var(txn.txnhost) -m reg -i ^([^\.]*)\.domain1\.icu(:([0-9]){1,5})?$ acl aclcrt_haproxy-https-domain1 var(txn.txnhost) -m reg -i ^core\.demo99\.stage\.domain1\.icu(:([0-9]){1,5})?$ acl aclcrt_haproxy-https-domain1 var(txn.txnhost) -m reg -i ^core\.dev2\.stage\.domain1\.icu(:([0-9]){1,5})?$ acl aclcrt_haproxy-https-domain1 var(txn.txnhost) -m reg -i ^core\.devph\.stage\.domain1\.icu(:([0-9]){1,5})?$ acl m-monitoring var(txn.txnhost) -m str -i monitoring.domain2.eu acl core.cloud2.prod.domain2.eu var(txn.txnhost) -m str -i core.cloud2.prod.domain2.eu acl tm.cloud2.prod.domain2.eu var(txn.txnhost) -m str -i tm.cloud2.prod.domain2.eu acl aclcrt_haproxy-https-domain2 var(txn.txnhost) -m reg -i ^([^\.]*)\.domain2\.eu(:([0-9]){1,5})?$ acl aclcrt_haproxy-https-domain2 var(txn.txnhost) -m reg -i ^core\.cloud2\.prod\.domain2\.eu(:([0-9]){1,5})?$ acl aclcrt_haproxy-https-domain2 var(txn.txnhost) -m reg -i ^tm\.cloud2\.prod\.domain2\.eu(:([0-9]){1,5})?$ acl aclcrt_https-primary-frontend var(txn.txnhost) -m reg -i ^([^\.]*)\.domain1\.icu(:([0-9]){1,5})?$ acl aclcrt_https-primary-frontend var(txn.txnhost) -m reg -i ^([^\.]*)\.domain2\.eu(:([0-9]){1,5})?$ http-request set-var(txn.txnhost) hdr(host) http-request deny if { req.hdr_cnt(content-length) gt 1 } http-response deny if { res.hdr_cnt(content-length) gt 1 } use_backend gpg.domain1.icu_ipvANY if gpg aclcrt_haproxy-https-domain1 use_backend m-test_ipvANY if m-test-tm aclcrt_haproxy-https-domain1 use_backend m-test_ipvANY if m-test-m aclcrt_haproxy-https-domain1 use_backend m-demo_ipvANY if m-demo-tm aclcrt_haproxy-https-domain1 use_backend m-demo_ipvANY if m-demo-m aclcrt_haproxy-https-domain1 use_backend m-dev_ipvANY if m-dev-m aclcrt_haproxy-https-domain1 use_backend m-dev_ipvANY if m-dev-tm aclcrt_haproxy-https-domain1 use_backend m-dev_ipvANY if m-dev-ig aclcrt_haproxy-https-domain1 use_backend ecs-eml_ipvANY if ecs-eml aclcrt_haproxy-https-domain1 use_backend ecs-madeira_ipvANY if ecs-madeira-m aclcrt_haproxy-https-domain1 use_backend ecs-madeira_ipvANY if ecs-madeira-tm aclcrt_haproxy-https-domain1 use_backend m-dev_ipvANY if m-dev-ig2 aclcrt_haproxy-https-domain1 use_backend traduora.domain1.icu_ipvANY if traduora-domain1-icu aclcrt_haproxy-https-domain1 use_backend core.demo99.stage.domain1.icu_ipvANY if core.demo99.stage.domain1.icu aclcrt_haproxy-https-domain1 use_backend core.dev2.stage.domain1.icu_ipvANY if core.dev2.stage.domain1.icu aclcrt_haproxy-https-domain1 use_backend core.devph.stage.domain1.icu_ipvANY if core.devph.stage.domain1.icu aclcrt_haproxy-https-domain1 use_backend m-monitoring_ipvANY if m-monitoring aclcrt_haproxy-https-domain2 use_backend core.cloud2.prod.domain2.eu_ipvANY if core.cloud2.prod.domain2.eu aclcrt_haproxy-https-domain2 use_backend tm.cloud2.prod.domain2.eu_ipvANY if tm.cloud2.prod.domain2.eu aclcrt_haproxy-https-domain2 frontend http-to-https bind 172.28.28.28:80 name 172.28.28.28:80 mode http log global option http-keep-alive timeout client 30000 http-request redirect scheme https unless { ssl_fc } http-request deny if { req.hdr_cnt(content-length) gt 1 } http-response deny if { res.hdr_cnt(content-length) gt 1 } backend gpg.domain1.icu_ipvANY mode http id 100 log global timeout connect 30000 timeout server 30000 retries 3 server gpg 192.169.0.213:443 id 101 ssl verify none backend m-test_ipvANY mode http id 102 log global timeout connect 30000 timeout server 30000 retries 3 server m-test 10.127.2.27:443 id 101 ssl verify none backend m-demo_ipvANY mode http id 103 log global timeout connect 30000 timeout server 30000 retries 3 server m-demo 10.127.1.244:443 id 101 ssl verify none backend m-dev_ipvANY mode http id 104 log global timeout connect 30000 timeout server 30000 retries 3 server m-dev 10.127.0.125:443 id 101 ssl verify none backend ecs-eml_ipvANY mode http id 105 log global timeout connect 30000 timeout server 30000 retries 3 server ecs-eml 10.127.0.177:443 id 106 ssl verify none backend ecs-madeira_ipvANY mode http id 111 log global timeout connect 30000 timeout server 30000 retries 3 server ecs-madeira 10.127.3.224:443 id 110 ssl verify none backend traduora.domain1.icu_ipvANY mode http id 116 log global timeout connect 30000 timeout server 30000 retries 3 server traduora.domain1.icu 192.169.0.169:80 id 118 backend core.demo99.stage.domain1.icu_ipvANY mode http id 119 log global timeout connect 30000 timeout server 30000 retries 3 server core.demo99.stage.domain1.icu 192.169.22.16:443 id 120 ssl verify none backend core.dev2.stage.domain1.icu_ipvANY mode http id 112 log global timeout connect 30000 timeout server 30000 retries 3 server core.dev2.stage.domain1.icu 192.169.22.197:443 id 113 ssl verify none backend core.devph.stage.domain1.icu_ipvANY mode http id 121 log global timeout connect 30000 timeout server 30000 retries 3 server core.devph.stage.domain1.icu 192.169.22.68:443 id 113 ssl verify none backend m-monitoring_ipvANY mode http id 109 log global timeout connect 30000 timeout server 30000 retries 3 server m-monitoring 192.169.0.8:443 id 110 ssl verify none backend core.cloud2.prod.domain2.eu_ipvANY mode http id 115 log global timeout connect 30000 timeout server 30000 retries 3 server core.cloud2.prod.domain2.eu 192.169.22.133:443 id 101 ssl verify none backend tm.cloud2.prod.domain2.eu_ipvANY mode http id 117 log global timeout connect 30000 timeout server 30000 retries 3 server tm.cloud2.prod.domain2.eu 192.169.22.134:443 id 101 ssl verify none -
@lex-under-3182 said in HAproxy SSL offloading complicated setup:
BUT when I add new domain to haproxy Frontend like
core.devph.stage.domain1.icu and want it to be on wildcard SSL certificateWhich one? You don't have any matching.
-
I think here is matching for SSL certificate.
It ignores the first one for multilevel subdomains and automatically applies the second one core.demo99.stage.domain1.icuacl aclcrt_haproxy-https-domain1 var(txn.txnhost) -m reg -i ^([^\.]*)\.domain1\.icu(:([0-9]){1,5})?$ acl aclcrt_haproxy-https-domain1 var(txn.txnhost) -m reg -i ^core\.demo99\.stage\.domain1\.icu(:([0-9]){1,5})?$ acl aclcrt_haproxy-https-domain1 var(txn.txnhost) -m reg -i ^core\.dev2\.stage\.domain1\.icu(:([0-9]){1,5})?$ acl aclcrt_haproxy-https-domain1 var(txn.txnhost) -m reg -i ^core\.devph\.stage\.domain1\.icu(:([0-9]){1,5})?$ -
@lex-under-3182 said in HAproxy SSL offloading complicated setup:
It ignores the first one for multilevel subdomains and automatically applies the second one core.demo99.stage.domain1.icu
Yeah, multiple subdomains at the level of the star, which is the third: *.domain1.icu
So you can use it for any domain, which you can replace the star with any proper string in.
So it may work with stage.domain1.icu, but not with core.devph.stage.domain1.icu. This domain has five levels.