HAProxy and SSL Passthrough
-
Hello all,
I've been trying to get HAProxy with SSL Passthrough working for the last few days now and it doesn't seem to matter what combination of settings I use. I'm unable to get it to function. This is what I'm trying to achieve. I have one IIS Server with ports 80 and 443 open. Websites are working fine via IIS Bindings. I'm currently trying to set up 2 additional app servers that also need 80 and 443 open. Hence a conflict in ports. So I'm trying to implement HAProxy on my PFSense but only have it in SSL Passthrough mode as SSL Certs will be handled locally on each host. I also dont want to have the certs on HAProxy. I want to just pass the SSL traffic through HAProxy and let localhost manage its own SSL Certs.
Here is my current setup. (blue blurred out marks is the domain being redacted)
Backend: Since we are doing SSL Passthrough no encrypt or SSL checks should be on from my understanding. I've tried playing with them on and off and it makes no difference.
Frontend: Type is changed from HTTPS to TCP which is required for SSL Passthrough from my understanding. I've tried using HTTPS, TCP and TCP mode. The most success I've had was with TCP but still receive a 503 error and its unable to connect to "host" it doesn't seem to be passing through to the SSL cert.
I then changed the local firewall policy to remove 80 and 443 from 10.10.10.3 (web server) to the local firewall instead AKA made a new HAProxy policy and disabled the old policy. And receive 503 error. pages shows connection is not reaching the host server.
I made sure my local firewall wasn't using 80 or 443 for firewall GUI. I tried playing with Rules and changing types from SSL/HTTPS (TCP MODE) to just TCP. I try changing backend settings to allow and not allow SSL offloading and with or without encryption enabled. No matter what settings I do, I can not get the traffic to route through HAProxy but it works if I switch the rules back to forward 80 and 443 directly back to web server host 10.10.10.3 but thats not going through HAPRoxy.
Anyone have any ideas how what else I can check to resolve this issue? I'm completely out of ideas.
-
@androbourne Try changing your ACL expression to "host starts with" and make the value the FQDN of your domain.
-
@crowfather That is not a valid option when in TCP or TCP Mode...
That option is only available in HTTP, not TCP mode. And you can't do SSL Passthrough in HTTP mode...
TCP
And TCP mode
I've tried using Traffic is HTTP and Traffic is SSL also tried TCP Mode with expression in original post.
-
I am going through the same problem as well. While I am fairly new to HAProxy, I've been at this for days now without any success either. I wonder if someone with more experience in this can shed some light on how to accomplish this.
-
Not to revive an older thread, just wondering if @AndroBourne or @breezytm got a ssl passthrough solution working? I have a similar setup I am trying to get functional where a first frontend is using tcp mode for ssl passthrough to a second ssl passthrough that does ssl offloading. Hoping either of you figured out something that is working. Thanks!
-
@sgnoc I was not able to set it up. Reference documents are limited.
-
@breezytm Thank for the reply. I finally was able to get it working after I found one site that provided some reference configurations. Here is my post on the netgate forum if you are still looking for a solution.
https://forum.netgate.com/topic/174705/haproxy-ssl-offloading-openvpn-ssh