Problem using HAProxy to service 2 distinct SSL domains
-
Our situation is we have 2 domains accra.ca and filopto.com both with multiple frontends and backends and both use HTTP and HTTPS web sites. We wish to have PFSense/Acme service the SSL certificate for some of the sites.
Setting up the first domain accra.ca with all its different host and backends using a combination of http and https (both with direct ssl on the backend server and Let's encrypt offloading for some host) works perfectly.
Then we tried to add a second domain filopto.com and achieve the same thing. The HTTP sites and using the SSL on the backend server works properly, However we cannot seem to get the offloading of the ssl on PFSense to be recognized or serviced by Haproxy. For example we have help10.filopto.com that works in HTTP mode but the HTTPS mode is saying the connection is not private. The SSL should be serviced by offloading the SSL connection to PFsense.
We are looking for assistance/guidance or is there some site that explains how to set this up properly using PFsense and Haproxy?
Here is part of the configuration file generated by PFsense Haproxy ( the ... are just other sites/server entries removed for simplicity purpose)
frontend HTTPS-OffLoading3-Accra-merged
bind 127.0.0.1:1443 name 127.0.0.1:1443 ssl crt-list /var/etc/haproxy/HTTPS-OffLoading3-Accra.crt_list
mode http
log global
option log-separate-errors
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
errorfile 503 /var/etc/haproxy/errorfile_HTTPS-OffLoading3-Accra_503_MaintOffL
acl remotehelp_acl var(txn.txnhost) -m str -i remotehelp.accra.ca
....
acl aclcrt_HTTPS-OffLoading3-Accra var(txn.txnhost) -m reg -i ^remotehelp.accra.ca(:([0-9]){1,5})?$
...
acl help10filopto_acl var(txn.txnhost) -m str -i help10.filopto.com
...
acl aclcrt_Https-offloading4-Filopto var(txn.txnhost) -m reg -i ^help10.filopto.com(:([0-9]){1,5})?$
...
http-request set-var(txn.txnhost) hdr(host)
use_backend RemoteHelp25_ipvANY if remotehelp_acl aclcrt_HTTPS-OffLoading3-Accra
....
use_backend WebServer214_ipvANY if help10filopto_acl aclcrt_Https-offloading4-Filopto
...
use_backend WebServer214_ipvANY if aclcrt_HTTPS-OffLoading3-AccraThanks
-
@cjbujold
Not sure what the issue is might be from the config given it seems okay, but without some deeper understanding there is little to conclude... i can SSL-offload your help10 website without issues using a domain/cert of my own. At least the main page.. havn't tried to 'use' it much further..The frontend above listens on 1443.. so what other config is in place to make things work.? And regarding the 'unsafe' connection what does the security tab of the browser say for 'why' it is deemed unsafe.?
-
Here is the message we receive:
https://help10.filopto.com/
Secure Connection FailedAn error occurred during a connection to help10.filopto.com. PR_END_OF_FILE_ERROR
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
Thanks
cjb -
@cjbujold
What is listening on :443 ? And how is that configured? -
@piba Port 443 rule : sent to Haproxy I think that was setup automatically by Haproxy
-
@cjbujold
Haproxy package does not automatically create regular firewall/nat rules.Also Haproxy is not listening on :443, at least not regarding the part of config you have shown.. so are you nat-ting directly from outside :443 to haproxy 1443? Or is 'something' configured in a haproxy frontend to listen on :443 in which case the question still is, how is that configured?
-
This post is deleted! -
frontend SecureServers-SNI-2 bind :443 mode tcp ... acl filopto_acl req.ssl_sni -m end -i filopto.com use_backend ssl14backend_ipvANY if filopto_acl default_backend frontend3-offloading-redirect-2_ipvANY
It looks like you are sending 'all' https traffic for the domain filopto.com to the backend 'ssl14backend' "192.168.120.214:443" without the certificates being handled by haproxy. So it seems that that specific host does not know how to reply for these requests.
I'm not entirely sure what your intended traffic flow is there, but i guess removing that use_backend action, and just letting it flow to the offloading backend>frontend would probably make thing work a little better.
-
Thank you, you are correct the error was this incorrect entry and it was causing all the other issues.
Fixed it and everything is now working as it should
Thank you for your time and patience
cjb