Haproxy Reverse proxy to old machine with old cipher
-
@braunerroei so which is - you get a 503 via haproxy - and then this error if you try to directly access the machine without going through ha proxy?
ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
-
@johnpoz
Yep... -
@braunerroei Well if you are directly connecting to the machine, and not going through ha proxy - how is it a pfsense thing?
In your browser can't you view the cert that was presented.. normally with such errors there is advanced button, view cert, etc.
And if there is some error that even your browser is complaining about - I would expect haproxy to have same sort of issue with the cert.
-
@johnpoz Hi again! Could it be something about the upgrade to openssl 3 again?
-
@johnpoz
Hello:
via HAProxy (fax.mydomain.com)- "503 Service Unavailable - No server is available to handle this request"Direct (x.x.x.x) - "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
-Roei
-
@braunerroei said in Haproxy Reverse proxy to old machine with old cipher:
Direct (x.x.x.x) - "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
Which has ZERO to do with pfsense - ZERO.. You don't go through pfsense if your directly accessing the machine, so no it wouldn't have anything to do with pfsense updating to openssl..
But yeah if you have something going on with it, then makes sense that haproxy would also complain. Fix it so your direct machine can access it.. And your haproxy issue most likely will be fixed as well.
-
@NightlyShark said in Haproxy Reverse proxy to old machine with old cipher:
openssl 3
I guess it is related to openssl 3.
-Roei
-
@braunerroei said in Haproxy Reverse proxy to old machine with old cipher:
I guess it is related to openssl 3.
Not on pfsense it isn't - because when you access it direct and your seeing this error.. Pfsense isn't involved at all.. Maybe if you updated openssl on this device that is hosting your service?
-
I know, that direct access has nothing to do with pfSense.
I just sent the error code, in order to understand the issue, whilr direct access.
The device is multitech fax finder FF130, I don't think I can update the openssl.
-Roei
-
@braunerroei if direct access isn't working why would you think it should work through haproxy?
Like saying my car wont start when I sit in and turn the key.. But there is something wrong with my remote start because that isn't working ;)
-
@braunerroei Wait, you were not performing SSL offloading? ... You had HAProxy in TCP mode? ... Then ... the cert you configure for HAProxy via ACME does nothing... Like it doesn't exist
-
@johnpoz Still won't let me upvote you further... Damn rules...
-
@braunerroei Can you disable SSL on the machine and put it behind HAProxy in SSL offloading mode?
-
It's hpps offloading...
-
@braunerroei said in Haproxy Reverse proxy to old machine with old cipher:
It's hpps offloading...
What he means by that is just let haproxy handle the ssl, and make the connection via just http to the service behind.. Not both doing ssl.
As I stated before and asked for clarification on from you..
I let haproxy handle the ssl with the client, and it just talks to the backend via normal http. NO ssl..
-
-
@braunerroei port 443 is almost always going to be ssl.. From the service run it - have never in all my years in the biz seen a server listen on 443 that was not using https.
Can you just talk to this 10.1.1.108 vi http://10.1.1.108 ? which would be port 80
example - here is opening up one my servers just directly accessing it on that port 8282, but just via http
-
When I access the machine directly using http, it redirect to https.
I tried to access using haproxy - frontend that listen to 80, and backend with 443 - no success.
-Roei
-
@braunerroei well set your machine to not redirect to 443, or fix whatever problem it has with its ssl cert installed on that machine. Because if you can not access it directly via https://fqdn then something is wrong with the ssl on it. And would explain why haproxy is complaining as well if your browser on your machine can not even access it directly.
Is it the box itself redirecting you to https, or is your browser because of hsts?
-
@johnpoz
the box....