HAProxy SSL mode help needed

PiBa

@veldthui
So whats the current config like?

Frontend on :443 that does offloading with a certificate (and shows as such in the haproxy.conf)
And a Backend server that also uses :443 and re-encrypts the traffic between haproxy and IIS?

Something like this?: (i wrote it by hand.. so probably several mistakes there but the 'crt' and 'ssl' should be there..):

frontend HTTPS_FRONTEND
  bind :443 crt /var/haproxy/HTTPS_FRONTEND.crt
  mode http
  default_backend exchange 
backend exchange
  mode http
  server exchange 192.168.x.y:443 ssl verify none

If it aint working and it looks similar to above, what does it look like exactly?

veldthui

@PiBa At present using the ssl/tcp mode as I do not have any certs setup on HAProxy except for the one for pfsense itself using ACME.

PiBa

@veldthui Can you share the current config?

veldthui

Looks like this at present. webserver which is a CentOS apache webserver works. Exchange server which is on Windows 2016 IIS does not.

# Automaticaly generated, dont edit manually.
# Generated on: 2019-04-23 17:52
global
	maxconn			1000
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:4444 name localstats
	mode http
	stats enable
	stats refresh 10
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend ACME-JV-NET-NZ-PROD
	bind			Ext IP:80 name Ext IP:80   
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	errorfile			503 /var/etc/haproxy/errorfile_ACME-JV-NET-NZ-PROD_503_ExampleErrorfile
	acl			JVNAS1	var(txn.txnhost) -m beg -i jvnas1
	acl			ACME	var(txn.txnpath) -m beg -i /.well-known/acme-challenge/
	http-request set-var(txn.txnhost) hdr(host)
	http-request set-var(txn.txnpath) path
	use_backend JVNAS1-LE_ipvANY  if  JVNAS1 
	use_backend ACME-JV-NET-NZ-PROD_ipvANY  if  ACME 

frontend HTTPS_FRONTEND
	bind			10.101.101.1:443 name 10.101.101.1:443   
	mode			tcp
	log			global
	timeout client		30000
	errorfile			503 /var/etc/haproxy/errorfile_HTTPS_FRONTEND_503_ExampleErrorfile
	tcp-request inspect-delay	5s
	acl			WEBSERVER	req.ssl_sni -m beg -i webserver
	acl			MAILSERVER	req.ssl_sni -m beg -i jvnet
	tcp-request content accept if { req.ssl_hello_type 1 }
	use_backend WEBSERVER_ipvANY  if  WEBSERVER 
	use_backend MAILSERVER_ipvANY  if  MAILSERVER 

backend JVNAS1-LE_ipvANY
	mode			http
	id			102
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			JVNAS1-BE 192.168.0.30:80 id 103 check inter 1000  

backend ACME-JV-NET-NZ-PROD_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			ACME-BACKEND 127.0.0.1:4002 id 101  

backend WEBSERVER_ipvANY
	mode			tcp
	id			108
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			WEBSERVER 192.168.0.6:443 id 109 check inter 1000  

backend MAILSERVER_ipvANY
	mode			tcp
	id			106
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3

PiBa

@veldthui
I presume the "backend MAILSERVER_ipvANY" also has a server similar to the 'server WEBSERVER' with the only difference being a different ip & id ? If so then i would think it 'should work'..

veldthui

@PiBa said in HAProxy SSL mode help needed:

@veldthui
I presume the "backend MAILSERVER_ipvANY" also has a server similar to the 'server WEBSERVER' with the only difference being a different ip & id ? If so then i would think it 'should work'..

It is not the same. One is an Apache webserver. The one on MAILSERVER is IIS running on Server 2016. It should still just present a web page and if I go via a port redirect to it, it responds okay and gives me the outlook web mail.
Using HAProxy I either get a cannot provide a secure connection or web site did not respond. To get to the mail via HAProxy setup I have at present I use. https://jvnet.xxx.net:8843/owa. This gives me the error.
The mail server has a self signed cert which has a SAN cert for the supplied FQDN.

I might do some more google searches for exchange/haproxy issues and see what comes up. May even set up a seperate Server 2016 IIS with just a web site on it to see if that works or has issues.

veldthui

Well I am not sure what has happened but I came home from work and got another IIS web server up and running on a VM and was going to test it but thought I would test the mail server one more time before changing it and suddenly it appears to be working. Will need to test it from work to be 100% sure as using my phone to get outside my local network and come in through pfSense WAN rather than the LAN.

If it is working I can now test the activesync for my phone through HAProxy to the server and if that works it is all go.

Fingers crossed but not back at work until tomorrow night.

veldthui

Righto tonight I switched the port forward for 443 off and pointed 443 at HAProxy.

Tested Outlook Web Mail from a remote computer and worked perfectly. Tried my iPhone using the mail app and activesync and that also worked perfectly.

Tried my two web sites with IE and apart from the certificate errors due to be self signed that worked as well.

Tried with Chrome and getting an error of ERR_SLL_CERT_BAD_FORMAT.

Now this is strange because Chrome works fine if I redirect through port 8843 and a Virtual IP.

Any ideas? Maybe a proper signed cert will fix this but not sure why it works one way and not the other.

Certainly getting there though

PiBa

@veldthui
Nice that is working (mostly), i dont have any good idea about the reason for the ERR_SLL_CERT_BAD_FORMAT to appear in chrome.. Maybe the cert was created with duplicate serialnumbers of a other self created cert, or signed with a to weak fingerprint or something... Try clearing chrome's cache, and search for some details perhaps on the developer-window security and console tabs.. maybe either of them tells something more detailed? If other browsers work there is little reason to assume the problem is with the haproxy config itself.

veldthui

Okay have put in the real certs and all is working 100%. Very nice.

Now question. One site will have a wordpress site on which requires FTP for the updates. Can HAProxy be used to redirect port 21 the same was or am I stuck with a NAT Port redirection and limited to 1 FTP server on one machine?

PiBa

@veldthui
Haproxy does not 'understand' FTP protocol..
But you might be able to do something with 'FTPS' where the ftp connection is wrapped inside SSL, and haproxy might be able to use a SNI header if the ftp client sets that... Really guessing/hoping there bigtime though.. If thats not gonna fly then i don't think haproxy will be able to help you out here. For sure its not intended for this that is for sure.

Good the http/https part works nicely now :).