HAProxy SSL Backend Down (L6TOUT)



  • Hi guys,

    I've recently setup haproxy to reverse proxy and add certificate in front 3 web services running on a single device (one IP Address).

    2 of these run ssl by default and 1 doesn't.

    So I managed to get one of the SSL ones (Openhab) running ok and presenting its own cert on the frontend. But the other one, Unifi Controller, doesn't work with the same config. I get L6TOUT which I understand is TLS related.
    The last one running plain http also works without any issues

    All backends work perfectly if I go directly.

    This is the config from pfsense

    # Automaticaly generated, dont edit manually.
    # Generated on: 2019-05-22 07:53
    global
    	maxconn			100
    	stats socket /tmp/haproxy.socket level admin 
    	uid			80
    	gid			80
    	nbproc			1
    	hard-stop-after		15m
    	chroot				/tmp/haproxy_chroot
    	daemon
    	tune.ssl.default-dh-param	2048
    	log-send-hostname		cucaproxy
    	server-state-file /tmp/haproxy_server_state
    	# set default parameters to the modern configuration
    	# using mozilla config generator: https://mozilla.github.io/server-side-tls/ssl-config-generator/
    	ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    	ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    	ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    	ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    	
    	# Time-to-first-Byte (TTFB) value needs to be optimized based on
    	# the actual public certificate chain see
    	# https://www.igvita.com/2013/10/24
    	# /optimizing-tls-record-size-and-buffering-latency/
    	tune.ssl.maxrecord 1370
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:2200 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats show-legends
    	stats uri /haproxy/haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    frontend shared-frontend-merged
    	bind			172.17.17.1:443 name 172.17.17.1:443   ssl crt-list /var/etc/haproxy/shared-frontend.crt_list  
    	mode			http
    	log			global
    	option			http-keep-alive
    	option			forwardfor
    	acl https ssl_fc
    	http-request set-header		X-Forwarded-Proto http if !https
    	http-request set-header		X-Forwarded-Proto https if https
    	timeout client		30000
    	acl			aclcrt_shared-frontend	var(txn.txnhost) -m reg -i ^([^\.]*)\.mydomain\.com\.ar(:([0-9]){1,5})?$
    	acl			OHAB	var(txn.txnhost) -m str -i ohab.mydomain.com.ar
    	acl			aclcrt_OpenHAB-Frontend	var(txn.txnhost) -m reg -i ^ohab\.mydomain\.com\.ar(:([0-9]){1,5})?$
    	acl			homeassistant	var(txn.txnhost) -m str -i homeassistant.mydomain.com.ar
    	acl			aclcrt_HomeAssistant-Frontend	var(txn.txnhost) -m reg -i ^homeassistant\.mydomain\.com\.ar(:([0-9]){1,5})?$
    	acl			unifi	var(txn.txnhost) -m str -i unifi.mydomain.com.ar 
    	acl			aclcrt_Unifi	var(txn.txnhost) -m reg -i ^unifi\.mydomain\.com\.ar(:([0-9]){1,5})?$
    	http-request set-var(txn.txnhost) hdr(host)
    	use_backend OpenHAB_ipvANY  if  OHAB aclcrt_OpenHAB-Frontend
    	use_backend HomeAssistant_ipvANY  if  homeassistant aclcrt_HomeAssistant-Frontend
    	use_backend Unifi-Controller_ipvANY  if  unifi aclcrt_Unifi
    
    frontend http-to-https
    	bind			172.17.17.1:80 name 172.17.17.1:80   
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	http-request redirect scheme https 
    
    backend OpenHAB_ipvANY
    	mode			http
    	id			100
    	log			global
    	http-response set-header Strict-Transport-Security max-age=1;
    	timeout connect		30000
    	timeout server		7200000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			openhab 172.17.17.10:9001 id 101 ssl check inter 1000  verify none 
    
    backend HomeAssistant_ipvANY
    	mode			http
    	id			103
    	log			global
    	http-response set-header Strict-Transport-Security max-age=1;
    	timeout connect		30000
    	timeout server		7200000
    	retries			3
    	option			httpchk GET / 
    	server			homeassistant 172.17.17.10:8123 id 101 check inter 1000  
    
    backend Unifi-Controller_ipvANY
    	mode			http
    	id			102
    	log			global
    	http-response set-header Strict-Transport-Security max-age=1;
    	timeout connect		30000
    	timeout server		7200000
    	retries			2
    	option			httpchk HEAD / 
    	server			unifi 172.17.17.10:8443 id 101 ssl check inter 1000  verify none
    

    This is the output when going direct

    $ openssl s_client -connect 172.17.17.10:8443
    CONNECTED(00000005)
    depth=0 CN = unifi
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = unifi
    verify return:1
    ---
    Certificate chain
     0 s:CN = unifi
       i:CN = unifi
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIEvzCCAqegAwIBAgIERbK8LjANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDEwV1
    bmlmaTAeFw0xOTA1MTgwMzIyNThaFw0yNDA1MTYwMzIyNThaMBAxDjAMBgNVBAMT
    BXVuaWZpMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmYBwLQtmbCCu
    5xvdkXg8AkRaR386l6L5ikbMUurBW8Ewyeni03nJGIiZVO0k8YR4qJUa0A0rApL9
    JVTSYXmeuHQZNUKAtQSy3SXOTpgsdKOfh/NePP8yNzP4wQzSctF++PvuDb2kwFJN
    ++s4xzrfyU3LuRX7IEl6JXZj06mZV6Jmm67wU1Sbe9YflvUfjazUnUWLnTjPu4og
    hDrYrr5z1OuqPbf6ixgR8qLceX42UZkPFO/tXBCboQLhvTSTqeTxtw/LauWCNt/m
    pWJny3tXj3PIT/udu6To26riEK+kOr7vmjgPlBKdDKkMBb9kp/JvS/vegYSfmiT6
    WVbf+N/SJMhiwmeigE3PYJESPN1Rp5wD9MnebG0NPiQG1QD0M1EexaVUJSZBKWqk
    rHAQSKK9Q7WVdB/6a034MmwsXFYtb99gMQSd0Ncn3zrLjJTunNLm0Y/5Ra5Bumw9
    HKbGlwsGj6BCUoMWgbo+63VXhwDX5JhzwZVaXbWTooreCUHvw5mpzxGV9P8b5Vv+
    /FPBGfucYMRr72+SIopKN6MGdrJqjDc3SgWh+8sMO6w4e4T8JTGf9QEeeoGvCsy7
    JQYXi2mZ4U4SwTqv2WSgmgtDhwzF6Q1mhqPiVsaIiWGO8ozED87LomBLtfDax88b
    3+dP23iu56fblO0wfbN16+Uz5s7hhsECAwEAAaMhMB8wHQYDVR0OBBYEFNiZe95z
    gcB/aKhP8eG2zPIklt2RMA0GCSqGSIb3DQEBCwUAA4ICAQCMqIbahxe/QFUsv3R5
    m9j0qKC+reJZbgTxjEcxlz4Cu8HcdZtlJIKPhj+ZgTrr+hhZCV3W23/byvrq3dJe
    F7pdR7wv7Q1ZaBW1k1yveG4qMfFTH+hrZGspAqoZH7LR7rFHgiYRz4eInoUPoYgj
    Okz1aMUNs81P2m5SWddZoomEmJc5A76q3e+GLgzdnDjL7FXCfJeNbrGpJt06XZIg
    RnSiWkeKLxWGoF2F97f+2WqEU7GMspr6/2jVAPAkCR9Z20P1cEb2raEoM7K135Th
    FWXlIXYRZCiURRRVPO3RAzd1rk+Lit/m5P6YMADakkW97wFXe1vvgapGXljPIr8D
    z9Da6ad89STgG8wMphgBPKAZlqie2CWP5kRLejMSl4Z8Em5yG3FHMEcFdKPMuedK
    poyglInubzxAXLd4+AtphFDQjFh8PeZ2/NzVF6mtEpTHZLsTUevk9hsXh4vKpK2g
    B5rdYbXi2Qlup8EPfY4IY4DvCDFs4FpeO5fDhmcUJVkGhhOjPcNDuQM++7LEg7EZ
    VLsiU0oUVY1P6wW2z6nnb5pxXQphLM4AeeqdeUjupBuPG0J1VEiC7ywHSxDDtCmi
    hyO8BYEy8H1/wgOS4ubRBhEb2ILxQB5dn8UjsVCWjfHvPauKBfKJyEer9lmpW0GE
    ZCvjnpE4SyDBXgXdgop7a3YStw==
    -----END CERTIFICATE-----
    subject=CN = unifi
    
    issuer=CN = unifi
    
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 1963 bytes and written 440 bytes
    Verification error: self signed certificate
    ---
    New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 4096 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 5CE455FD452CFEB4BBF84E2AF5D0488404E6EAEFE362D90A954448ABACA274AB
        Session-ID-ctx: 
        Master-Key: 7C9E178E32A1A48CFF55018AF8C7FD924D8E9788201615216B532FB5242B43CB96E29C0D0E1807BE89C1CD75F3CE06F4
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1558468093
        Timeout   : 7200 (sec)
        Verify return code: 18 (self signed certificate)
        Extended master secret: yes
    ---
    
    

    Any ideas what I might be doing wrong? I'm pretty new to haproxy. None of these are internet accessible, they are entirely internal.

    Thanks,


Log in to reply