Haproxy - mixed SSL mode: SNI SSL offloading + SNI SSL from backend - how?



  • Hello!
    Question1:
    I'm currently running haproxy SSL in 443 port. I don't use SSL offloading. Instead of that, ACL is detecting domain names by SNI and switch backends. In the backend I forward SSL certificate from backend server. This way haproxy receives correct SSL from server and forward them to users.

    Now I decided to use letsencrypt plugins for some of servers. I wish to save SSL forwarding for some of backends, but it looks like I can use SSL forwarding or SSL offloading for all servers together only.
    I attached the pic what I mean (the ssl offloading tick is available for all input connections 0.0.0.0:443).

    How can it be ruled?

    Frontend port 443 advanced settings:

    tcp-request content accept if { req_ssl_hello_type 1 }

    Example of current backend setup with SSL forwarding from backend server.
    Advanced settings:

    mode tcp

    maximum SSL session ID length is 32 bytes.

    stick-table type binary len 32 size 30k expire 30m

    acl clienthello req_ssl_hello_type 1
      acl serverhello rep_ssl_hello_type 2
      compression algo gzip
    compression type text/html text/plain text/css
      # use tcp content accepts to detects ssl client and server hello.
      tcp-request inspect-delay 5s
      tcp-request content accept if clienthello

    # no timeout on response inspect delay by default.
      tcp-response content accept if serverhello

    stick on payload_lv(43,1) if clienthello

    # Learn on response if server hello.
      stick store-response payload_lv(43,1) if serverhello

    option ssl-hello-chk
      server sni_domain_name.com local_ip:443 check

    Question 2:
    I have DMZ, LAN, WAN networks. I use DNS forwarder and all packets from LAN to DMZ are working in local network. How can I setup network so all traffic from LAN network by 80 and 443 port will go to pfsense haproxy and then forward to DMZ network backend servers? In same time if I ping DMZ servers's domain names it should return local address.

    In other words, how forward all 80 and 443 traffic through haproxy at pfsense in local network?

    Thanks for advices.


  • Banned



  • @doktornotor:

    Did you read this?

    https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

    I'm on the same boat as OP.

    I adapted the instructions as best I could to my current setup, but since it's not working for me, I've a few questions regarding the documented setup in your link.

    In that configuration, there are 3 total frontends:

    http to https redirect - listening on port 80
    https/SNI passthrough - listening on port 443
    https SSL offloading - listening on port 1443

    I understand that the first front end :80 merely redirects all http requests to https.

    I also understand that for the TSL SNI requests coming through to port 443 on the second front end, they are routed to the proper HTTPS backend.

    However, I don't understand how HAProxy knows to listen for the offloaded SSL frontend (3) - (which encrypts HTTP traffic from the backend) - on port 1443 of the "localhost". There is no additional reference that I can see to this instance apart from frontend1, which is the http-to-https redirector.  How does this work? Surely I don't have to enter mydomain.com:1443 to redirect to the proper offloaded backend.

    Also, can a shared frontend work with mixed SNI/offloading ACLs?

    Thanks.



  • The backend "Frontend3-offloading" under the header "offloading backend with special check" is sending traffic to the second 1443 frontend.


Log in to reply