HAProxy's ACLs not working as expected
-
The goal here is to restrict access to some web services. One criteria to allow access is for users to have a valid SSL certificate (mostly for users) while the other is for them to come from specific IP ranges (mostly to allow servers).
In HAProxy, I configured an ACL called "2FA". First test definition is to require a valid cert and second is to require the source IP to be from the appropriate range. When there are multiple definitions for the same ACL, to satisfy any one of them should be good (grouped by OR).
Second ACL is when the host name starts with "restricted.domain.com" (I used start with because sometimes, there is a port at the end).
Once the ACLs and backend are configured, I created an action to use the backend for that service when both ACLs are validated. Unfortunately, it does not work.
Under the hood, pfSense creates an extra acl named "aclsystem_ssl_c_used" and makes it a hard requirement in addition of the 2FA acl I configured. As such, if a user comes with a valid cert, he will be allowed in as expected. The problem is that someone from the allowed IP range will not if he does not have a certificate (servers can not connect).
The only way around I found was to create two separate ACLs for authentication : 2FA that tests only for the valid cert and "KnownIPs" that tests only for IPs. I then need 2 actions, one for that backend AND 2FA and another for that backend AND KnownIPs. Configured like that, both clients and servers can use the service as expected.
Is it possible to have both tests in a single 2FA acl as I tried to do first ? I have many services and to configure everything twice is not an interesting option...
Thanks in advance for your help,
-
@heracles31
Seems like this is same issue as mine.
have you figured out something yet? -
@rupesh ,
No, your case is not the same as mine.
For you, the problem is that there is a delay between a change of IP address and the moment pfSense updates the alias. I think is done every hour or so. As such, access will not be maintained for a little while after a name moved from one IP to another but pfSense should recover by itself.
Should you wish not to loose any access, you need to use another authentication mechanism. You can do so by using a VPN (IPSec or OpenVPN) or enforcing SSL client certificate verification in HAProxy the way I did.
But to rely on DNS names in a firewall is not a good practice for this very reason : there is period during which the privileges are given to an unknown owner while the legitimate one is out of luck.
-
@heracles31 PfSense never updates the alias, despite updating, force reload , also this is just about exposing a port to very few ip.
-
According to the hint written in the IP Alias creation form, it does.
Hint : Enter as many hosts as desired. Hosts must be specified by their IP address or fully qualified domain name (FQDN). FQDN hostnames are periodically re-resolved and updated. If multiple IPs are returned by a DNS query, all are used. An IP range such as 192.168.1.1-192.168.1.10 or a small subnet such as 192.168.1.16/28 may also be entered and a list of individual IP addresses will be generated.
The thing is, when re-doing the DNS resolution, pfSense may be fooled by a DNS cache. If it probes a DNS that has the old record in cache and does not re-probe the SOA, the new IP will not be detected. As such, the delay after an IP address changed is :
--Time for the client to update its records (can be as quick as instant or longer)
--Time for the previous record to be purged from the cache in the DNS server probed by pfSense
--Time for pfSense to renew the IP aliasAfter all of these delays, then the alias will be updated. It can be very long, some DNS cache may last for 30 days, but at a certain moment, it will happen.
Regards,