HAProxy - Reverse proxy ssl error after config reload



  • Good Day!

    I have had a working pf-sense firewall for a few years, with no issues.

    • I started having trouble with the hard drives (some old 5400 RPM laptop drives)
      so, Last weekend, I backed up my configuration.
      Installed some 10K RPM drives and reinstalled pf-sense.
      Reloaded the configuration and everything came back to life, except the HAProxy
    • Till this point the HAProxy was working great as a reverse proxy for several back-ends ....

    All other modules work and the configured as before. Even the HAProxy settings are exactly as they were before the reinstall.

    The HAProxy application is on, but I get an SSL ERROR when trying to connect.

    • Secure connection can not be established- ERR_SSL_Protocol_ERROR-

    So far nothing I have done has resolved the error.

    • different ssl certificate
      -uninstall & reinstall HAProxy
    • tried to reload config

    I can't seem to find a solution. Looking at the config file, everything looks correct......

    Any suggestions as to what maybe causing the problem?

    Also when I remove and reinstall the HAProxy module the configuration is not erased ..... How do I remove the configuration, so that I can rebuild from scratch or just manually reload the saved configuration.

    Thank you for the help!!



  • @vshaulsk
    As part of the re-installation you also got a new haproxy package version.. Please check your using the latest version at this moment.. last weeks version had few (more) issues.. that the current one..

    Also double-check your backend server settings, there are now 2 ssl checkboxes.. one for encrypting the healthcheck, one for the actual traffic.. but if your using ssl/https mode with sni, you might not want to encrypt the traffic again in the backend.

    If this dont help, can you post your haproxy.cfg from bottom of settings tab?



  • @piba

    Non of the the backends use SSL .... only the front end

    Here is my config:

    Automaticaly generated, dont edit manually.

    Generated on: 2018-08-03 10:16

    global
    maxconn 1000
    stats socket /tmp/haproxy.socket level admin
    uid 80
    gid 80
    nbproc 1
    hard-stop-after 15m
    chroot /tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param 2048
    server-state-file /tmp/haproxy_server_state
    # Modern browser compatibility only as mentioned here:
    # https://wiki.mozilla.org/Security/Server_Side_TLS
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
    tune.ssl.default-dh-param 2048

    # Time-to-first-Byte (TTFB) value needs to be optimized based on
    # the actual public certificate chain see
    # https://www.igvita.com/2013/10/24
    # /optimizing-tls-record-size-and-buffering-latency/
    tune.ssl.maxrecord 1370
    

    listen HAProxyLocalStats
    bind 127.0.0.1:2200 name localstats
    mode http
    stats enable
    stats admin if TRUE
    stats show-legends
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

    frontend wanhttp
    bind 134.228.159.239:80 name 134.228.159.239:80
    mode http
    log global
    option http-keep-alive
    option forwardfor
    acl https ssl_fc
    http-request set-header X-Forwarded-Proto http if !https
    http-request set-header X-Forwarded-Proto https if https
    timeout client 30000
    default_backend sslredirect_ipvANY

    frontend wanhttps-merged
    bind 127.0.0.1:2043 name 127.0.0.1:2043 no-sslv3 ssl crt /var/etc/haproxy/wanhttps.pem crt /var/etc/haproxy/wanhttps crt-list /var/etc/haproxy/wanhttps.crt_list accept-proxy npn http/1.1
    mode http
    log global
    option http-keep-alive
    option forwardfor
    acl https ssl_fc
    http-request set-header X-Forwarded-Proto http if !https
    http-request set-header X-Forwarded-Proto https if https
    timeout client 7200000
    # Remove headers that expose security-sensitive information.
    rspidel ^Server:.$
    rspidel ^X-Powered-By:.
    $
    rspidel ^X-AspNet-Version:.*$

    # add some security related headers
    rspadd Content-Security-Policy:\ default-src\ https:\ data:\ \‘unsafe-inline\\’\ \\'unsafe-eval\'
    rspadd X-Frame-Options:\ SAMEORIGIN
    rspadd X-Content-Type-Options:\ nosniff
    rspadd X-Xss-Protection:\ 1;\ mode=block
    acl			aclcrt_wanhttps	var(txn.txnhost) -m reg -i ^shaulskiy\.com(:([0-9]){1,5})?$
    acl			shaulskiy.com	var(txn.txnhost) -m str -i shaulskiy.com
    acl			www.shaulskiy.com	var(txn.txnhost) -m str -i www.shaulskiy.com
    acl			vmusic	var(txn.txnhost) -m str -i vmusic.shaulskiy.com
    acl			plexrequests	var(txn.txnhost) -m str -i plex-requests.shaulskiy.com
    acl			email	var(txn.txnhost) -m str -i mail.shaulskiy.com
    http-request set-var(txn.txnhost) hdr(host)
    use_backend shaulskiy_ipvANY  if  shaulskiy.com 
    use_backend shaulskiy_ipvANY  if  www.shaulskiy.com 
    use_backend vmusic_ipvANY  if  vmusic 
    use_backend plexrequests_ipvANY  if  plexrequests 
    use_backend email_ipvANY  if  email 
    use_backend none_ipvANY  if   aclcrt_wanhttps
    default_backend none_ipvANY
    default_backend none_ipvANY
    default_backend none_ipvANY
    default_backend none_ipvANY
    

    frontend wanexternal-merged
    bind 134.228.159.239:443 name 134.228.159.239:443
    mode tcp
    log global
    timeout client 7200000
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 } or !{ req.ssl_hello_type 1 }
    acl acl req.ssl_hello_type 1
    default_backend none_ssl_ipvANY
    default_backend wanhttps_ipvANY

    backend sslredirect_ipvANY
    mode http
    id 107
    log global
    http-response set-header Strict-Transport-Security max-age=31536000;
    rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
    timeout connect 30000
    timeout server 30000
    retries 3
    redirect scheme https code 301

    backend none_ipvANY
    mode http
    id 104
    log global
    http-response set-header Strict-Transport-Security max-age=31536000;
    rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
    timeout connect 30000
    timeout server 30000
    retries 3
    server none 127.0.0.1:80 id 100 disabled

    backend shaulskiy_ipvANY
    mode http
    id 111
    log global
    http-response set-header Strict-Transport-Security max-age=31536000;
    rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
    timeout connect 30000
    timeout server 30000
    retries 3
    option httpchk OPTIONS /
    server shaulskiy 192.168.100.50:80 id 112 check inter 1000

    backend vmusic_ipvANY
    mode http
    id 102
    log global
    http-response set-header Strict-Transport-Security max-age=31536000;
    rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
    timeout connect 30000
    timeout server 30000
    retries 3
    option httpchk OPTIONS /
    server vmusic 192.168.1.31:4040 id 103 check inter 1000

    backend plexrequests_ipvANY
    mode http
    id 113
    log global
    http-response set-header Strict-Transport-Security max-age=31536000;
    rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
    timeout connect 30000
    timeout server 30000
    retries 3
    option httpchk OPTIONS /
    server plexrequests 192.168.1.31:3579 id 114 check inter 1000

    backend email_ipvANY
    mode http
    id 115
    log global
    http-response set-header Strict-Transport-Security max-age=31536000;
    rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
    timeout connect 30000
    timeout server 30000
    retries 3
    option httpchk OPTIONS /
    server email 192.168.100.6:443 id 116 ssl check inter 1000 verify none

    backend none_ssl_ipvANY
    mode tcp
    id 105
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    server none 127.0.0.1:80 id 106 disabled

    backend wanhttps_ipvANY
    mode tcp
    id 109
    log global
    timeout connect 30000
    timeout server 7200000
    retries 3
    server wanhttps 127.0.0.1:2043 id 110 ssl verify none send-proxy



  • @vshaulsk said in HAProxy - Reverse proxy ssl error after config reload:

    server wanhttps 127.0.0.1:2043 id 110 ssl verify none send-proxy

    Looks like that does have a SSL checkbox set.? Where perhaps it should not be.?
    If its on the 'encrypt ssl', change that to the 'ssl check' box perhaps?



  • @vshaulsk
    Also this frontend has 2 defaults, but no way to determine which backend it should actually take..
    You will need to add acl's and use_backend actions there..

    frontend wanexternal-merged
    	default_backend none_ssl_ipvANY
    	default_backend wanhttps_ipvANY
    


  • @piba

    You were correct, I had to change the SSL checkbox for the wanhttps

    Now everything is working and I am back to the SSL Labs A+ rating (if that is worth anything)