Shared frontend for two websites with one for SSL on HaProxy

kiekar

Hello,
I’m currently trying to setup haproxy to use a shared frontend  for two websites sharing the same wan public IP where one site will use an letsencrypt SSL cert on port 443 which I imported from IIS 8.5 and the other site will use only standard port 80.
I created two backends

Backend (a) for SSL site:

Mode=active, name=domain1, Forwardto = Address+Port, Port= 443 and SSL=yes. I also included Backend Pass thru = http-request redirect scheme https if !{ ssl_fc }.

Backend (b) for non SSL site:

Mode=active, name=domain2, Forwardto=Address+Port, Port=80, and SSL=no.

I created 1 default frontend and two shared frontends.

Frontend default:

Listen Address=WAN static public IP, Port=80, SSL Offloading unchecked, Type= http/https (offloading) and default backend= none.

Shared frontend for SSL Website:
Primary Frontend= default frontend.

ACL: name= domain1-ACL, Expression=Host matches:, Not=no, value= domain1
ACL actions:
Actions=backend: Backend (a) and Conditional acl names= domain1-ACL

Shared Frontend for NON SSL Website:
Primary Frontend= default frontend.
ACL: name= domain2-ACL, Expression=Host matches:, Not=no, value= domain2
ACL actions:
Actions=backend: Backend (b) and Conditional acl names= domain2-ACL

I tried adding another external address to the default frontend external address able by selecting the same WAN public IP and using Port 443 and SSL Offloading checked then in the SSL Offloading section selecting the cert.

Unfortunately, I’m not able to get this to work. I would very much appreciate it if some can help me configure the current setup of mine to make this work.

Thanks in advance

PiBa

The description 'sounds' good..
Can you share the haproxy.conf from bottom of settings tab?

Does any part work? What part doesn't? How are you requesting it? What (doesn't) happen exactly?

kiekar

Hello and thanks for your reply, much appreciated.

The non SSL site works but the SSL site I receive a 503 service unavailable when using url www.sslsite.com where the green padlock shows and when using url sslsite.com I receive your connection is not private . I'm using my mobile network with the chrome browser.

below is the haproxy. config

# Automaticaly generated, dont edit manually.
# Generated on: 2018-01-04 17:21
global
	stats socket /tmp/haproxy.socket level admin
	uid			80
	gid			80
	nbproc			1
	chroot			/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	1024
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend Default-Listener-merged
	bind			xx.xxx.xxx.xxx:80 name xx.xxx.xxx.xxx:80   
	bind			xx.xxx.xxx.xxx:443 name xx.xxx.xxx.xxx:443 ssl  crt /var/etc/haproxy/Default-Listener.pem  
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			DS-ACL1	hdr(host) -i domain1.com
	acl			DS-ACL	hdr(host) -i www.domain1.com
	acl			Tech-ACL1	hdr(host) -i domain2.com
	acl			Tech-ACL	hdr(host) -i www.domain2.com
	use_backend DS-Backend_http_ipvANY  if  DS-ACL1 
	use_backend DS-Backend_http_ipvANY  if  DS-ACL 
	use_backend Tech-Backend_http_ipvANY  if  Tech-ACL1 
	use_backend Tech-Backend_http_ipvANY  if  Tech-ACL 

backend DS-Backend_http_ipvANY
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	http-request redirect scheme https if !{ ssl_fc }
	server			DS-Website 172.16.0.7:443 ssl check inter 1000  verify none 

backend Tech-Backend_http_ipvANY
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			techWebsite 172.16.0.8:80 check inter 1000

PiBa

For the 503 error, if you look at the 'stats' page does the SSL DS-Website server show in 'green'?
If its 'down' then check what the LastCheck column says, maybe the server returns a authentication request.? Or some other error? Try changing 'OPTIONS' to 'GET' for the health-check , or add a "Host: webserver" in the request ?

As for the certificate error, probably the top domain is not included in the certificate as a valid alternative name.? (With some CA's you must specifically ask for this..)

p.s. Please just copy paste the text of the config and obfuscate where needed.. And put it inside some code tags instead of a image.

kiekar

For the 503 error, if you look at the 'stats' page does the SSL DS-Website server show in 'green'?

The STAT's page shows red and down for the backend.

The LastChk displays L6RSP "connection error during SSL Handshake" when the SNI is checked in the bindings for 443 in IIS. and L7STS/404 "Layer 7 wrong status: not found" when SNI is unchecked.

I also tried with GET instead of OPTIONS but I did not see any difference. The STAT page is something I'm not familiar with.

PiBa

Does https://172.16.0.7/ work when requested with a browser? Or is some page/url needed behind it? If so add that to the url used for the health check.

kiekar

Thanks again PiBa for your patience and help, much appreciated.

Well I got it to work externally now by modifying the bindings in IIS by changing the ip  address from * to 172.16.0.7  for http and https  and also deselecting the SNI checkbox and leaving the Host Name blank for https.

So I'm happy it's working externally but still need to work out why now internally it's pointing to the default webpage from my internal network.

One other thing, if one was to enter mydomain.com in the browser would i need to make a second certificate for mydomain.com so to redirect to https://www.mydomain.com?

PiBa

By default haproxy does not send SNI to the webserver.. Needs 1.8 to fully support those configuration options.. If you can do without for now at least wait for 1.8.3 to become available on pfSense before trying that…
http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-check-sni
http://cbonte.github.io/haproxy-dconv/1.8/snapshot/configuration.html#5.2-sni

A single certificate can be valid for multiple domains, so you can make 1 certificate thats valid for both www.domain.com and domain.com as a 'Subject Alternative Name'. And yes to be able to send a redirect you still need a valid cert..

Having IIS bound to * should also work imho.. as long as it accepts haproxy's connection the request should be handled the same..

As for internally it should just work the same as externally.. Unless you visit it by a different hostname and have iis check for that also?

kiekar

Thanks for the links,

A single certificate can be valid for multiple domains, so you can make 1 certificate thats valid for both www.domain.com and domain.com as a 'Subject Alternative Name'. And yes to be able to send a redirect you still need a valid cert..

Having IIS bound to * should also work imho.. as long as it accepts haproxy's connection the request should be handled the same..

As for internally it should just work the same as externally.. Unless you visit it by a different hostname and have iis check for that also?

Will look further into it.