Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAproxy SSL offloading complicated setup

    Scheduled Pinned Locked Moved Cache/Proxy
    4 Posts 2 Posters 948 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lex.under.3182
      last edited by lex.under.3182

      Hello,

      I have the following haproxy setup with wildcard ssls and additional SSL certificates.
      Getting one issue that I cannot understand how to solve.

      I have two wildcardSSL:
      *.domain1.icu
      *.domain2.icu
      and severla additional certificates like
      core.demo99.stage.domain1.icu
      core.dev2.stage.domain1.icu

      Everything works normal BUT when I add new domain to haproxy Frontend like
      core.devph.stage.domain1.icu and want it to be on wildcard SSL certificate (not separate one) then core.demo99.stage.domain1.icu is automatically applied to it.

      If I add test.domain1.icu it applies fine *.domain1.icu cert .

      SO probably the issue is related to SNI. If I add core.devph.stage.domain1.icu to SNI filter in Primary Frontend then SSL is being applied fine BUT backend stops working with BAD REQUEST error and in logs I see SSL handshake failed .

      I guess I am missing something... Pleas help. Also if you can help to understand how to generate FREE ssl via pfsense for several levels FQDN like core.devph.stage.domain1.icu it would be cool because when *.domain1.icu is applied it still reports that SSL is not trusted because of wrong Common Name and because of this in some cases I have to generate separate SSLs for it.

      [2.6.0-RELEASE][root@pfSense.domain1.icu]/root: cat /var/etc/haproxy/haproxy.cfg
      # Automaticaly generated, dont edit manually.
      # Generated on: 2022-07-28 12:38
      global
              maxconn                 500
              log                     /var/run/log    local0  debug
              stats socket /tmp/haproxy.socket level admin  expose-fd listeners
              uid                     80
              gid                     80
              nbproc                  1
              nbthread                        1
              hard-stop-after         15m
              chroot                          /tmp/haproxy_chroot
              daemon
              tune.ssl.default-dh-param       2048
              log-send-hostname               HaproxyMasterNode
              server-state-file /tmp/haproxy_server_state
      
      listen HAProxyLocalStats
              bind 127.0.0.1:2200 name localstats
              mode http
              stats enable
              stats admin if TRUE
              stats show-legends
              stats uri /haproxy/haproxy_stats.php?haproxystats=1
              timeout client 5000
              timeout connect 5000
              timeout server 5000
      
      frontend https-primary-frontend-merged
              bind                    172.28.28.28:443 name 172.28.28.28:443   ssl crt-list /var/etc/haproxy/https-primary-frontend.crt_list
              mode                    http
              log                     global
              option                  http-keep-alive
              option                  forwardfor
              acl https ssl_fc
              http-request set-header         X-Forwarded-Proto http if !https
              http-request set-header         X-Forwarded-Proto https if https
              timeout client          30000
              acl                     gpg     var(txn.txnhost) -m str -i gpg.domain1.icu
              acl                     m-test-tm    var(txn.txnhost) -m str -i tm.domain1.icu
              acl                     m-test-m  var(txn.txnhost) -m str -i m.domain1.icu
              acl                     m-demo-tm    var(txn.txnhost) -m str -i tm-demo.domain1.icu
              acl                     m-demo-m  var(txn.txnhost) -m str -i m-demo.domain1.icu
              acl                     m-dev-m   var(txn.txnhost) -m str -i m-dev.domain1.icu
              acl                     m-dev-tm     var(txn.txnhost) -m str -i tm-dev.domain1.icu
              acl                     m-dev-ig     var(txn.txnhost) -m str -i ig.m-dev.domain1.icu
              acl                     ecs-eml var(txn.txnhost) -m str -i eml-dev.domain1.icu
              acl                     ecs-madeira-m        var(txn.txnhost) -m str -i m-madeira.domain1.icu
              acl                     ecs-madeira-tm  var(txn.txnhost) -m str -i tm-madeira.domain1.icu
              acl                     m-dev-ig2    var(txn.txnhost) -m str -i ig-m-dev.domain1.icu
              acl                     traduora-domain1-icu   var(txn.txnhost) -m str -i traduora.domain1.icu
              acl                     core.demo99.stage.domain1.icu  var(txn.txnhost) -m str -i core.demo99.stage.domain1.icu
              acl                     core.dev2.stage.domain1.icu    var(txn.txnhost) -m str -i core.dev2.stage.domain1.icu
              acl                     core.devph.stage.domain1.icu   var(txn.txnhost) -m str -i core.devph.stage.domain1.icu
              acl                     aclcrt_haproxy-https-domain1   var(txn.txnhost) -m reg -i ^([^\.]*)\.domain1\.icu(:([0-9]){1,5})?$
              acl                     aclcrt_haproxy-https-domain1   var(txn.txnhost) -m reg -i ^core\.demo99\.stage\.domain1\.icu(:([0-9]){1,5})?$
              acl                     aclcrt_haproxy-https-domain1   var(txn.txnhost) -m reg -i ^core\.dev2\.stage\.domain1\.icu(:([0-9]){1,5})?$
              acl                     aclcrt_haproxy-https-domain1   var(txn.txnhost) -m reg -i ^core\.devph\.stage\.domain1\.icu(:([0-9]){1,5})?$
              acl                     m-monitoring var(txn.txnhost) -m str -i monitoring.domain2.eu
              acl                     core.cloud2.prod.domain2.eu  var(txn.txnhost) -m str -i core.cloud2.prod.domain2.eu
              acl                     tm.cloud2.prod.domain2.eu  var(txn.txnhost) -m str -i tm.cloud2.prod.domain2.eu
              acl                     aclcrt_haproxy-https-domain2 var(txn.txnhost) -m reg -i ^([^\.]*)\.domain2\.eu(:([0-9]){1,5})?$
              acl                     aclcrt_haproxy-https-domain2 var(txn.txnhost) -m reg -i ^core\.cloud2\.prod\.domain2\.eu(:([0-9]){1,5})?$
              acl                     aclcrt_haproxy-https-domain2 var(txn.txnhost) -m reg -i ^tm\.cloud2\.prod\.domain2\.eu(:([0-9]){1,5})?$
              acl                     aclcrt_https-primary-frontend   var(txn.txnhost) -m reg -i ^([^\.]*)\.domain1\.icu(:([0-9]){1,5})?$
              acl                     aclcrt_https-primary-frontend   var(txn.txnhost) -m reg -i ^([^\.]*)\.domain2\.eu(:([0-9]){1,5})?$
              http-request set-var(txn.txnhost) hdr(host)
              http-request  deny if { req.hdr_cnt(content-length) gt 1 }
              http-response deny if { res.hdr_cnt(content-length) gt 1 }
              use_backend gpg.domain1.icu_ipvANY  if  gpg aclcrt_haproxy-https-domain1
              use_backend m-test_ipvANY  if  m-test-tm aclcrt_haproxy-https-domain1
              use_backend m-test_ipvANY  if  m-test-m aclcrt_haproxy-https-domain1
              use_backend m-demo_ipvANY  if  m-demo-tm aclcrt_haproxy-https-domain1
              use_backend m-demo_ipvANY  if  m-demo-m aclcrt_haproxy-https-domain1
              use_backend m-dev_ipvANY  if  m-dev-m aclcrt_haproxy-https-domain1
              use_backend m-dev_ipvANY  if  m-dev-tm aclcrt_haproxy-https-domain1
              use_backend m-dev_ipvANY  if  m-dev-ig aclcrt_haproxy-https-domain1
              use_backend ecs-eml_ipvANY  if  ecs-eml aclcrt_haproxy-https-domain1
              use_backend ecs-madeira_ipvANY  if  ecs-madeira-m aclcrt_haproxy-https-domain1
              use_backend ecs-madeira_ipvANY  if  ecs-madeira-tm aclcrt_haproxy-https-domain1
              use_backend m-dev_ipvANY  if  m-dev-ig2 aclcrt_haproxy-https-domain1
              use_backend traduora.domain1.icu_ipvANY  if  traduora-domain1-icu aclcrt_haproxy-https-domain1
              use_backend core.demo99.stage.domain1.icu_ipvANY  if  core.demo99.stage.domain1.icu aclcrt_haproxy-https-domain1
              use_backend core.dev2.stage.domain1.icu_ipvANY  if  core.dev2.stage.domain1.icu aclcrt_haproxy-https-domain1
              use_backend core.devph.stage.domain1.icu_ipvANY  if  core.devph.stage.domain1.icu aclcrt_haproxy-https-domain1
              use_backend m-monitoring_ipvANY  if  m-monitoring aclcrt_haproxy-https-domain2
              use_backend core.cloud2.prod.domain2.eu_ipvANY  if  core.cloud2.prod.domain2.eu aclcrt_haproxy-https-domain2
              use_backend tm.cloud2.prod.domain2.eu_ipvANY  if  tm.cloud2.prod.domain2.eu aclcrt_haproxy-https-domain2
      
      frontend http-to-https
              bind                    172.28.28.28:80 name 172.28.28.28:80
              mode                    http
              log                     global
              option                  http-keep-alive
              timeout client          30000
              http-request redirect scheme https unless { ssl_fc }
              http-request  deny if { req.hdr_cnt(content-length) gt 1 }
              http-response deny if { res.hdr_cnt(content-length) gt 1 }
      
      backend gpg.domain1.icu_ipvANY
              mode                    http
              id                      100
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  gpg 192.169.0.213:443 id 101 ssl  verify none
      
      backend m-test_ipvANY
              mode                    http
              id                      102
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  m-test 10.127.2.27:443 id 101 ssl  verify none
      
      backend m-demo_ipvANY
              mode                    http
              id                      103
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  m-demo 10.127.1.244:443 id 101 ssl  verify none
      
      backend m-dev_ipvANY
              mode                    http
              id                      104
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  m-dev 10.127.0.125:443 id 101 ssl  verify none
      
      backend ecs-eml_ipvANY
              mode                    http
              id                      105
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  ecs-eml 10.127.0.177:443 id 106 ssl  verify none
      
      backend ecs-madeira_ipvANY
              mode                    http
              id                      111
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  ecs-madeira 10.127.3.224:443 id 110 ssl  verify none
      
      backend traduora.domain1.icu_ipvANY
              mode                    http
              id                      116
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  traduora.domain1.icu 192.169.0.169:80 id 118
      
      backend core.demo99.stage.domain1.icu_ipvANY
              mode                    http
              id                      119
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  core.demo99.stage.domain1.icu 192.169.22.16:443 id 120 ssl  verify none
      
      backend core.dev2.stage.domain1.icu_ipvANY
              mode                    http
              id                      112
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  core.dev2.stage.domain1.icu 192.169.22.197:443 id 113 ssl  verify none
      
      backend core.devph.stage.domain1.icu_ipvANY
              mode                    http
              id                      121
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  core.devph.stage.domain1.icu 192.169.22.68:443 id 113 ssl  verify none
      
      backend m-monitoring_ipvANY
              mode                    http
              id                      109
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  m-monitoring 192.169.0.8:443 id 110 ssl  verify none
      
      backend core.cloud2.prod.domain2.eu_ipvANY
              mode                    http
              id                      115
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  core.cloud2.prod.domain2.eu 192.169.22.133:443 id 101 ssl  verify none
      
      backend tm.cloud2.prod.domain2.eu_ipvANY
              mode                    http
              id                      117
              log                     global
              timeout connect         30000
              timeout server          30000
              retries                 3
              server                  tm.cloud2.prod.domain2.eu 192.169.22.134:443 id 101 ssl  verify none
      
      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @lex.under.3182
        last edited by

        @lex-under-3182 said in HAproxy SSL offloading complicated setup:

        BUT when I add new domain to haproxy Frontend like
        core.devph.stage.domain1.icu and want it to be on wildcard SSL certificate

        Which one? You don't have any matching.

        L 1 Reply Last reply Reply Quote 0
        • L
          lex.under.3182 @viragomann
          last edited by

          @viragomann

          I think here is matching for SSL certificate.
          It ignores the first one for multilevel subdomains and automatically applies the second one core.demo99.stage.domain1.icu

              acl                     aclcrt_haproxy-https-domain1   var(txn.txnhost) -m reg -i ^([^\.]*)\.domain1\.icu(:([0-9]){1,5})?$
              acl                     aclcrt_haproxy-https-domain1   var(txn.txnhost) -m reg -i ^core\.demo99\.stage\.domain1\.icu(:([0-9]){1,5})?$
              acl                     aclcrt_haproxy-https-domain1   var(txn.txnhost) -m reg -i ^core\.dev2\.stage\.domain1\.icu(:([0-9]){1,5})?$
              acl                     aclcrt_haproxy-https-domain1   var(txn.txnhost) -m reg -i ^core\.devph\.stage\.domain1\.icu(:([0-9]){1,5})?$
          
          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @lex.under.3182
            last edited by

            @lex-under-3182 said in HAproxy SSL offloading complicated setup:

            It ignores the first one for multilevel subdomains and automatically applies the second one core.demo99.stage.domain1.icu

            Yeah, multiple subdomains at the level of the star, which is the third: *.domain1.icu

            So you can use it for any domain, which you can replace the star with any proper string in.
            So it may work with stage.domain1.icu, but not with core.devph.stage.domain1.icu. This domain has five levels.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.