SSL certs handling and HAproxy
-
I guess you missed some of my comments.
Is HAProxy configured to redirect http to https?
How exactly are you testing when you see that? From some external IP? Using http?The traffic is finally hitting the server as http so that part is solved.
I've tested from internal (LAN) clients using curl and firefox to http since the firewall is handling the ssl cert.
Internally, all is good, web pages are being served up using http.
Externally or public, everything gets a 301.From external connections, I'm connecting to https and can see the traffic being sent from haproxy to http.
-
@lewis
what are you running on the server? apache2 ?
that's usually a misconfiguration in the web server, maybe a redirection on the config that you don't need anymore -
I checked the incoming headers and for some reason, http is still being forwarded to https so I think the problem is with the web server at this point.
It's odd because there is no forwarding configured, at all on the web server so I'll spend some time on this and see what I can discover.It's darn close now that I've rebuilt the haproxy config.
-
@lewis
that error is usually from a redirect in the web server, haproxy try to comunicate with the web server via http but the server answer back via https but since haproxy is expecting HTTP traffic, it keeps resending the same request, resulting in a redirect loopnginx could have something like -> return 301 https://$server_name$request_uri;
apache2 could have something like -> RewriteEngine / RewriteCond / RewriteRule -
So what seems to be happening is that because the site was built with all urls being https, no matter if I hit it using http, the urls are all htps so the browser keeps getting https.
I dumped the application db, edited all the links to be http and it 'sort of' works.
I can fix the problems but it's not going to solve the main problem which is the sites cannot all be rebuilt to be http.
So, all this for nothing ti seems unless there's some way to get https pages working with haproxy as well. -
Hmm, if you only see that when connecting externally though that's only when the connection is going through HAProxy.
What I expected would be a redirect in the HAProxy front end. That should only ever be for http to https for client connections but it would be possible to have ot set the other way around accidentally.
-
HAProxy will work fine using https to the backends if you need it to. I have no idea if you can add Varnish to that though.
-
Well, I showed all of my configuration and I can see haproxy sending to http.
Even after changing all of the urls to http, the page is still showing up broken to public clients but perfectly to internal. -
@stephenw10 said in SSL certs handling and HAproxy:
HAProxy will work fine using https to the backends if you need it to. I have no idea if you can add Varnish to that though.
Right, that was the entire goal so if I can't do that, then this is all moot.
-
Well if the backend servers can only respond correctly to https connections then Varnish needs to use https to connect to them.
You might try using a very simple site that you know works fine with http as a test until you have the other parts working.
-
You might try using a very simple site that you know works fine with http as a test until you have the other parts working.
That's what this site was, for testing.
Other than this post, I can't find much more information so I guess I don't get to set this up the way I need it. -
By very simple I mean just an index page. Nothing with anything linking to https.
-
@stephenw10 said in SSL certs handling and HAproxy:
By very simple I mean just an index page. Nothing with anything linking to https.
Yes, I already proved to myself that haproxy is sending http now but the site is built in https.
I dumped the db, renamed all of the https urls to http and it worked fine other than some small things I'd have to fix.The problem is, I cannot do that to all of the apps that would be in play here, it's simply too much work.
The only other option I have is to not use haproxy on pfsense, but use acme only to have that centralized part I wanted.Setups could be a proxy/varnish on a server. Not sure if pfsense can send pure http after acme to the LAN.
-
I'd be surprised if Varnish can't also use https. As long as the front and backend sessions are terminated there it can still see and cache all the content.
But, yes, if you're running Varnish on some separate server then it might be easier to do it all there.
-
These are some headers I have set in the Apache configuration.
I'm reading that haproxy also needs to have custom headers for some of these to work.# Add X-Forwarded-For header to log the original client IP RequestHeader set X-Forwarded-For %{REMOTE_ADDR}e # Add X-Real-IP header RequestHeader set X-Real-IP %{REMOTE_ADDR}e # Add X-Forwarded-Proto header to identify the protocol used by the client RequestHeader set X-Forwarded-Proto https # Use Vary header for content negotiation <Location /> Header append Vary Accept-Encoding </Location>I would need to add custom configs in haproxy, like under the frontend or backend sections, depending on specific requirements.
The actual syntax for these directives will typically look like http-request set-header X-Forwarded-For %[src] for X-Forwarded-For, as an example.
But that's the problem, I can't find enough information to even understand what I would need to add to haproxy.Maybe I'm closer than I think but lack of knowledge and examples is making it impossible.
-
What's the chances?
-
You are accessing that via the proxy?
-
@stephenw10 said in SSL certs handling and HAproxy:
You are accessing that via the proxy?
I was searching Google which gave a link to these forums and this is what I got, repeatedly.
When we forward a domain, we typically maintain the old domain's cert also, just for this reason. -
@lewis
must be an old entry because the forum is forum.netgate.com and not forum.pfsense.com
or they forgot to add the DNS
-
Oh well spotted! Yeah that's just an old link.
