Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAproxy prevent sending back correct CN, when not sent.

    Cache/Proxy
    1
    1
    262
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz

      So little back info.. Which I was not aware of until recently.. Because I never actually tried it, and just assumed when wrong CN sent it wouldn't work because of my ACLs and not having a default backend setup, etc.. So thought HArproxy would just send back a 503..

      So I have a openvpn instance listening on 443.. And if you hit that and your not an openvpn connection with the correct info (tls key) open just drops you. Which is all good.. But also wanted 443 for my ombi site, my plex users can request stuff.

      So using a portshare in openvpn, if its not openvpn traffic, it gets handed over to haproxy via a loopback listening on 9443.. This does the ssl offloading for ombi and gives the remote user a secure https connection to me.. The backend in haproxy talks to the ombi instance via just normally http port.

      All good with the world.. Figure hey some bot hitting my IP just randomly on my IP would get back a 503.. And that would be good since they could never actually hit my ombi instance.

      But what I found out the other day was hey if you hit https://publicIP - you get back this error.

      Connecting to 64.53.x.x:443... connected.
    WARNING: certificate common name ‘host.domain.tld’ doesn't match requested host name ‘64.53.x.x.’.
HTTP request sent, awaiting response... 503 Service Unavailable
2020-08-25 06:09:37 ERROR 503: Service Unavailable.

      What? That is not good, I don't want to send some bot that info about what cn to use..

      Well thought there has to be away to stop that via some ACLs (which I thought I had in place).. So found some stuff (older) talking about another frontend and dummy backend, etc. That seems a little much.. I take it those were old and some really old versions of haproxy.

      While I use haproxy, and have done some neat stuff with it, never really had to dive into it because it just did what I asked it to do via the gui. I really only use currently for that one site, in the past I have hosted up a few other things, etc. But never anything fancy or complicated.

      Reached out to @PiBa and bob's your uncle, one setting and now get back exactly what I thought would happen.. If you don't send the correct sni, you just get told to F off ;)

      Just need to set strict-sni

      strict-sni.png

      Now if you hit just the IP you get back this.

      wget https://64.53.x.x --no-check-certificate
--2020-08-28 00:52:05--  https://64.53.x.x/
Connecting to 64.53.x.x:443... connected.
OpenSSL: error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name
Unable to establish SSL connection.

      Which is what I want to happen - don't have the correct sni, get told to F off ;)

      If you send the correct sni, then you get access to login
      correctsni.png

      So big thank you to @PiBa posted this info on the chance anyone else wants this to happen on their setups.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.