Haproxy Reverse proxy to old machine with old cipher
-
@johnpoz
Yep... -
@braunerroei Well if you are directly connecting to the machine, and not going through ha proxy - how is it a pfsense thing?
In your browser can't you view the cert that was presented.. normally with such errors there is advanced button, view cert, etc.
And if there is some error that even your browser is complaining about - I would expect haproxy to have same sort of issue with the cert.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.03 | Lab VMs 2.7.2, 24.03 -
@johnpoz Hi again! Could it be something about the upgrade to openssl 3 again?
-
@johnpoz
Hello:
via HAProxy (fax.mydomain.com)- "503 Service Unavailable - No server is available to handle this request"Direct (x.x.x.x) - "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
-Roei
-
@braunerroei said in Haproxy Reverse proxy to old machine with old cipher:
Direct (x.x.x.x) - "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
Which has ZERO to do with pfsense - ZERO.. You don't go through pfsense if your directly accessing the machine, so no it wouldn't have anything to do with pfsense updating to openssl..
But yeah if you have something going on with it, then makes sense that haproxy would also complain. Fix it so your direct machine can access it.. And your haproxy issue most likely will be fixed as well.
-
@NightlyShark said in Haproxy Reverse proxy to old machine with old cipher:
openssl 3
I guess it is related to openssl 3.
-Roei
-
@braunerroei said in Haproxy Reverse proxy to old machine with old cipher:
I guess it is related to openssl 3.
Not on pfsense it isn't - because when you access it direct and your seeing this error.. Pfsense isn't involved at all.. Maybe if you updated openssl on this device that is hosting your service?
-
I know, that direct access has nothing to do with pfSense.
I just sent the error code, in order to understand the issue, whilr direct access.
The device is multitech fax finder FF130, I don't think I can update the openssl.
-Roei
-
@braunerroei if direct access isn't working why would you think it should work through haproxy?
Like saying my car wont start when I sit in and turn the key.. But there is something wrong with my remote start because that isn't working ;)
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.03 | Lab VMs 2.7.2, 24.03 -
@braunerroei Wait, you were not performing SSL offloading? ... You had HAProxy in TCP mode? ... Then ... the cert you configure for HAProxy via ACME does nothing... Like it doesn't exist
-
@johnpoz Still won't let me upvote you further... Damn rules...
-
@braunerroei Can you disable SSL on the machine and put it behind HAProxy in SSL offloading mode?
-
It's hpps offloading...
-
@braunerroei said in Haproxy Reverse proxy to old machine with old cipher:
It's hpps offloading...
What he means by that is just let haproxy handle the ssl, and make the connection via just http to the service behind.. Not both doing ssl.
As I stated before and asked for clarification on from you..
I let haproxy handle the ssl with the client, and it just talks to the backend via normal http. NO ssl..
-
-
@braunerroei port 443 is almost always going to be ssl.. From the service run it - have never in all my years in the biz seen a server listen on 443 that was not using https.
Can you just talk to this 10.1.1.108 vi http://10.1.1.108 ? which would be port 80
example - here is opening up one my servers just directly accessing it on that port 8282, but just via http
-
When I access the machine directly using http, it redirect to https.
I tried to access using haproxy - frontend that listen to 80, and backend with 443 - no success.
-Roei
-
@braunerroei well set your machine to not redirect to 443, or fix whatever problem it has with its ssl cert installed on that machine. Because if you can not access it directly via https://fqdn then something is wrong with the ssl on it. And would explain why haproxy is complaining as well if your browser on your machine can not even access it directly.
Is it the box itself redirecting you to https, or is your browser because of hsts?
-
@johnpoz
the box.... -
@braunerroei well stop it from doing that, can you not just disable https on it? And use just http? Or fix whatever is wrong with its cert..
Can you not just create a cert via the cert manager and pfsense and use that on it.. Pretty sure there is a way to get haproxy to trust them, or a way to not have it check the cert, etc.
but can tell you if you can't even get your browser to get to it via https directly, then haproxy is going to have a hard time as well.
