Shared frontend for two websites with one for SSL on HaProxy



  • Hello,
    I’m currently trying to setup haproxy to use a shared frontend  for two websites sharing the same wan public IP where one site will use an letsencrypt SSL cert on port 443 which I imported from IIS 8.5 and the other site will use only standard port 80.
    I created two backends

    Backend (a) for SSL site:

    Mode=active, name=domain1, Forwardto = Address+Port, Port= 443 and SSL=yes. I also included Backend Pass thru = http-request redirect scheme https if !{ ssl_fc }.

    Backend (b) for non SSL site:

    Mode=active, name=domain2, Forwardto=Address+Port, Port=80, and SSL=no.

    I created 1 default frontend and two shared frontends.

    Frontend default:

    Listen Address=WAN static public IP, Port=80, SSL Offloading unchecked, Type= http/https (offloading) and default backend= none.

    Shared frontend for SSL Website:
    Primary Frontend= default frontend.

    ACL: name= domain1-ACL, Expression=Host matches:, Not=no, value= domain1
    ACL actions:
    Actions=backend: Backend (a) and Conditional acl names= domain1-ACL

    Shared Frontend for NON SSL Website:
    Primary Frontend= default frontend.
    ACL: name= domain2-ACL, Expression=Host matches:, Not=no, value= domain2
    ACL actions:
    Actions=backend: Backend (b) and Conditional acl names= domain2-ACL

    I tried adding another external address to the default frontend external address able by selecting the same WAN public IP and using Port 443 and SSL Offloading checked then in the SSL Offloading section selecting the cert.

    Unfortunately, I’m not able to get this to work. I would very much appreciate it if some can help me configure the current setup of mine to make this work.

    Thanks in advance



  • The description 'sounds' good..
    Can you share the haproxy.conf from bottom of settings tab?

    Does any part work? What part doesn't? How are you requesting it? What (doesn't) happen exactly?



  • Hello and thanks for your reply, much appreciated.

    The non SSL site works but the SSL site I receive a 503 service unavailable when using url www.sslsite.com where the green padlock shows and when using url sslsite.com I receive your connection is not private . I'm using my mobile network with the chrome browser.

    below is the haproxy. config

    
    # Automaticaly generated, dont edit manually.
    # Generated on: 2018-01-04 17:21
    global
    	stats socket /tmp/haproxy.socket level admin
    	uid			80
    	gid			80
    	nbproc			1
    	chroot			/tmp/haproxy_chroot
    	daemon
    	tune.ssl.default-dh-param	1024
    	server-state-file /tmp/haproxy_server_state
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:2200 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats uri /haproxy/haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    
    
    frontend Default-Listener-merged
    	bind			xx.xxx.xxx.xxx:80 name xx.xxx.xxx.xxx:80   
    	bind			xx.xxx.xxx.xxx:443 name xx.xxx.xxx.xxx:443 ssl  crt /var/etc/haproxy/Default-Listener.pem  
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	acl			DS-ACL1	hdr(host) -i domain1.com
    	acl			DS-ACL	hdr(host) -i www.domain1.com
    	acl			Tech-ACL1	hdr(host) -i domain2.com
    	acl			Tech-ACL	hdr(host) -i www.domain2.com
    	use_backend DS-Backend_http_ipvANY  if  DS-ACL1 
    	use_backend DS-Backend_http_ipvANY  if  DS-ACL 
    	use_backend Tech-Backend_http_ipvANY  if  Tech-ACL1 
    	use_backend Tech-Backend_http_ipvANY  if  Tech-ACL 
    
    
    
    backend DS-Backend_http_ipvANY
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	http-request redirect scheme https if !{ ssl_fc }
    	server			DS-Website 172.16.0.7:443 ssl check inter 1000  verify none 
    
    backend Tech-Backend_http_ipvANY
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			techWebsite 172.16.0.8:80 check inter 1000
    
    


  • For the 503 error, if you look at the 'stats' page does the SSL DS-Website server show in 'green'?
    If its 'down' then check what the LastCheck column says, maybe the server returns a authentication request.? Or some other error? Try changing 'OPTIONS' to 'GET' for the health-check , or add a "Host: webserver" in the request ?

    As for the certificate error, probably the top domain is not included in the certificate as a valid alternative name.? (With some CA's you must specifically ask for this..)

    p.s. Please just copy paste the text of the config and obfuscate where needed.. And put it inside some code tags instead of a image.
    


  • For the 503 error, if you look at the 'stats' page does the SSL DS-Website server show in 'green'?

    The STAT's page shows red and down for the backend.

    The LastChk displays L6RSP "connection error during SSL Handshake" when the SNI is checked in the bindings for 443 in IIS. and L7STS/404 "Layer 7 wrong status: not found" when SNI is unchecked.

    I also tried with GET instead of OPTIONS but I did not see any difference. The STAT page is something I'm not familiar with.



  • Does https://172.16.0.7/ work when requested with a browser? Or is some page/url needed behind it? If so add that to the url used for the health check.



  • Thanks again PiBa for your patience and help, much appreciated.

    Well I got it to work externally now by modifying the bindings in IIS by changing the ip  address from * to 172.16.0.7  for http and https  and also deselecting the SNI checkbox and leaving the Host Name blank for https.

    So I'm happy it's working externally but still need to work out why now internally it's pointing to the default webpage from my internal network.

    One other thing, if one was to enter mydomain.com in the browser would i need to make a second certificate for mydomain.com so to redirect to https://www.mydomain.com?



  • By default haproxy does not send SNI to the webserver.. Needs 1.8 to fully support those configuration options.. If you can do without for now at least wait for 1.8.3 to become available on pfSense before trying that…
    http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-check-sni
    http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-sni

    A single certificate can be valid for multiple domains, so you can make 1 certificate thats valid for both www.domain.com and domain.com as a 'Subject Alternative Name'. And yes to be able to send a redirect you still need a valid cert..

    Having IIS bound to * should also work imho.. as long as it accepts haproxy's connection the request should be handled the same..

    As for internally it should just work the same as externally.. Unless you visit it by a different hostname and have iis check for that also?



  • Thanks for the links,

    A single certificate can be valid for multiple domains, so you can make 1 certificate thats valid for both www.domain.com and domain.com as a 'Subject Alternative Name'. And yes to be able to send a redirect you still need a valid cert..

    Having IIS bound to * should also work imho.. as long as it accepts haproxy's connection the request should be handled the same..

    As for internally it should just work the same as externally.. Unless you visit it by a different hostname and have iis check for that also?

    Will look further into it.


Log in to reply