Haproxy - mixed SSL mode: SNI SSL offloading + SNI SSL from backend - how?

olegfusion · Feb 5, 2017, 9:01 AM

Hello!
Question1:
I'm currently running haproxy SSL in 443 port. I don't use SSL offloading. Instead of that, ACL is detecting domain names by SNI and switch backends. In the backend I forward SSL certificate from backend server. This way haproxy receives correct SSL from server and forward them to users.

Now I decided to use letsencrypt plugins for some of servers. I wish to save SSL forwarding for some of backends, but it looks like I can use SSL forwarding or SSL offloading for all servers together only.
I attached the pic what I mean (the ssl offloading tick is available for all input connections 0.0.0.0:443).

How can it be ruled?

Frontend port 443 advanced settings:

tcp-request content accept if { req_ssl_hello_type 1 }

Example of current backend setup with SSL forwarding from backend server.
Advanced settings:

mode tcp

maximum SSL session ID length is 32 bytes.

stick-table type binary len 32 size 30k expire 30m

acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
compression algo gzip
compression type text/html text/plain text/css
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello

# no timeout on response inspect delay by default.
tcp-response content accept if serverhello

stick on payload_lv(43,1) if clienthello

# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello

option ssl-hello-chk
server sni_domain_name.com local_ip:443 check

Question 2:
I have DMZ, LAN, WAN networks. I use DNS forwarder and all packets from LAN to DMZ are working in local network. How can I setup network so all traffic from LAN network by 80 and 443 port will go to pfsense haproxy and then forward to DMZ network backend servers? In same time if I ping DMZ servers's domain names it should return local address.

In other words, how forward all 80 and 443 traffic through haproxy at pfsense in local network?

Thanks for advices.

doktornotor · Feb 5, 2017, 5:16 PM

Did you read this?

https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

efishta · Feb 25, 2017, 3:05 AM

@doktornotor:

Did you read this?

https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

I'm on the same boat as OP.

I adapted the instructions as best I could to my current setup, but since it's not working for me, I've a few questions regarding the documented setup in your link.

In that configuration, there are 3 total frontends:

http to https redirect - listening on port 80
https/SNI passthrough - listening on port 443
https SSL offloading - listening on port 1443

I understand that the first front end :80 merely redirects all http requests to https.

I also understand that for the TSL SNI requests coming through to port 443 on the second front end, they are routed to the proper HTTPS backend.

However, I don't understand how HAProxy knows to listen for the offloaded SSL frontend (3) - (which encrypts HTTP traffic from the backend) - on port 1443 of the "localhost". There is no additional reference that I can see to this instance apart from frontend1, which is the http-to-https redirector. How does this work? Surely I don't have to enter mydomain.com:1443 to redirect to the proper offloaded backend.

Also, can a shared frontend work with mixed SNI/offloading ACLs?

Thanks.

PiBa · Feb 27, 2017, 6:40 PM

The backend "Frontend3-offloading" under the header "offloading backend with special check" is sending traffic to the second 1443 frontend.