Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Haproxy - mixed SSL mode: SNI SSL offloading + SNI SSL from backend - how?

    Scheduled Pinned Locked Moved Cache/Proxy
    4 Posts 4 Posters 6.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      olegfusion
      last edited by

      Hello!
      Question1:
      I'm currently running haproxy SSL in 443 port. I don't use SSL offloading. Instead of that, ACL is detecting domain names by SNI and switch backends. In the backend I forward SSL certificate from backend server. This way haproxy receives correct SSL from server and forward them to users.

      Now I decided to use letsencrypt plugins for some of servers. I wish to save SSL forwarding for some of backends, but it looks like I can use SSL forwarding or SSL offloading for all servers together only.
      I attached the pic what I mean (the ssl offloading tick is available for all input connections 0.0.0.0:443).

      How can it be ruled?

      Frontend port 443 advanced settings:

      tcp-request content accept if { req_ssl_hello_type 1 }

      Example of current backend setup with SSL forwarding from backend server.
      Advanced settings:

      mode tcp

      maximum SSL session ID length is 32 bytes.

      stick-table type binary len 32 size 30k expire 30m

      acl clienthello req_ssl_hello_type 1
        acl serverhello rep_ssl_hello_type 2
        compression algo gzip
      compression type text/html text/plain text/css
        # use tcp content accepts to detects ssl client and server hello.
        tcp-request inspect-delay 5s
        tcp-request content accept if clienthello

      # no timeout on response inspect delay by default.
        tcp-response content accept if serverhello

      stick on payload_lv(43,1) if clienthello

      # Learn on response if server hello.
        stick store-response payload_lv(43,1) if serverhello

      option ssl-hello-chk
        server sni_domain_name.com local_ip:443 check

      Question 2:
      I have DMZ, LAN, WAN networks. I use DNS forwarder and all packets from LAN to DMZ are working in local network. How can I setup network so all traffic from LAN network by 80 and 443 port will go to pfsense haproxy and then forward to DMZ network backend servers? In same time if I ping DMZ servers's domain names it should return local address.

      In other words, how forward all 80 and 443 traffic through haproxy at pfsense in local network?

      Thanks for advices.
      1.PNG
      1.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Did you read this?

        https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

        1 Reply Last reply Reply Quote 0
        • E
          efishta
          last edited by

          @doktornotor:

          Did you read this?

          https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

          I'm on the same boat as OP.

          I adapted the instructions as best I could to my current setup, but since it's not working for me, I've a few questions regarding the documented setup in your link.

          In that configuration, there are 3 total frontends:

          http to https redirect - listening on port 80
          https/SNI passthrough - listening on port 443
          https SSL offloading - listening on port 1443

          I understand that the first front end :80 merely redirects all http requests to https.

          I also understand that for the TSL SNI requests coming through to port 443 on the second front end, they are routed to the proper HTTPS backend.

          However, I don't understand how HAProxy knows to listen for the offloaded SSL frontend (3) - (which encrypts HTTP traffic from the backend) - on port 1443 of the "localhost". There is no additional reference that I can see to this instance apart from frontend1, which is the http-to-https redirector.  How does this work? Surely I don't have to enter mydomain.com:1443 to redirect to the proper offloaded backend.

          Also, can a shared frontend work with mixed SNI/offloading ACLs?

          Thanks.

          1 Reply Last reply Reply Quote 0
          • P
            PiBa
            last edited by

            The backend "Frontend3-offloading" under the header "offloading backend with special check" is sending traffic to the second 1443 frontend.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.