HAProxy TCP Mode SSL Offloading NOT WORK

Victor 6

hi how are things
I would like you to help me. I have been reading some forums for days and nothing works.
I developed an application which uses port 789 when I put it in tcp mode without activating ssl it works fine but when activating ssl the connection is lost prior to this I have created my certificates and so on and used tcp and ssl/https mode but it does not work neither of the 2 when I activate the ssl check
In the back I have the server that points to the same port

I would like to know what I am doing wrong or what I am missing.
my job almost depends on this =(

Victor 6

If you need any more precise or clear information, I can provide it.

viragomann

@Victor-6 said in HAProxy TCP Mode SSL Offloading NOT WORK:

but it does not work neither of the 2 when I activate the ssl check

SSL check is a setting in the backend. If you enable it, it requires that the backend provides a proper SSL certificate.
If you want to do SSL offloading and run the backend without SSL, you probably might want to enable this.

What exactly does the client complain about?

Victor 6

@viragomann
for example i try to use the synology drive client app from a windows machine and when i activate the ssl (the check i receive this message)
the configuration I have now is as follows (this configuration works without the ssl and I want to be able to use the certificate I have) and I have tried everything but nothing works.

Fronted

Backend

viragomann

@Victor-6
Seems the client doesn't trust the SSL certificate. Is it self-signed?

I don't think, that this has something to do with HAproxy. I guess, you will get the same if you connect the client directly to the backend.

What's the goal of using TCP mode? Do you need to handle the certificate on the backend?

Victor 6

@viragomann
because the synology (desktop) drive client app uses port 6690 only the desktop app uses that port, THAT IS THE PORT THAT IT CONNECTS TO AND CANNOT BE CHANGED.

now I emphasize the following I CAN CONNECT WITHOUT PROBLEM ""WITHOUT USING SSl"" I HAVE NO PROBLEMS

BUT WHEN I WANT TO USE SSL TO MAKE A SECURE CONNECTION IT DOES NOT ALLOW ME TO CONNECT AT ALL.

THIS IMAGE SHOWS ME WHEN I ACTIVATE SSL IN THE FRONTEND

->

IN MY OLD CONFIGURATION I DON'T KNOW WHAT IS WRONG WHEN ACTIVATING THE SSL IN THE FRONTEND.

I TRIED TO USE IN THE BACK THE SSL AND STILL DOES NOT WORK I GET THAT THE CERTIFICATE IS NOT VALID.

FOR THE CERTIFICATES IN PFSENSE I USE WHAT IT IS, THE "ACME CLIENT".

I HAVE OTHER SERVICES AND THEY WORK FINE BUT REGARDING TCP MODE SSL DOES NOT WORK.

viragomann

@Victor-6
The certificate on pfSense cannot be used in TCP mode. There is no option in the frontend to assign a SSL certificate.
TCP can pass through SSL to the backend as its best. So you would have to install a valid certificate on the Synology.

pfSense can do the SSL en-/decryption in HTTP mode though. But I don't know if the desktop client protocol can be handled in HTTP mode. Maybe (in case it's just WebDAV).

the-iuser

@Victor-6 I'm experiencing the same issue. I can not get the drive client on port 6690 to work with my SSL offloading HAProxy. Guess you didn't find a solution?
According to the synology support the client uses http basic auth.

johnpoz

@the-iuser did you miss @viragomann post?

Victor 6

@johnpoz
use what you say and it doesn't work at all although it seems a bit absurd and pointless to me the truth that haproxy can't handle a certificate in tc
When I try to connect in the mode you tell me it does not work and I explain in detail

1:when I log on I get this problem

2:even though the connection comes through tcp and connects to port 6690 you get the problem but it does register the connection.

3:the haproxy configuration at frontend level I did it in 2 ways and I explain it the way without (SSL Offloading)

4: backend configuration

and this way does not work
and if I activate ssl offloading it doesn't work either.

I've been fighting with this for a couple of weeks now and I can't make sense of it.

but if I activate tcp mode I can log in but I can't use the certificate.

johnpoz

@Victor-6 said in HAProxy TCP Mode SSL Offloading NOT WORK:

I've been fighting with this for a couple of weeks now and I can't make sense of it.

Not sure what part your not understanding that haproxy can not do ssl offloading with tcp mode.. If you want to use tcp mode and a cert, then backend must have a certificate, the ssl cert your using would have to be valid.. ie in that it works, and your service your sending traffic to via the backend would have to be using it.

Here this took all of 30 seconds to setup.

I fired up a website on my nas using a cert on port 44443.. I then created a frontend in tcp mode on my pfsense wan IP, that sends it to a backend on 44443.. Clicky Clicky bobs your uncle..

Sure I got a warning about the cert, because I couldn't be bothered to setup a cert with valid CN and or San and a dns record that pointed the fqdn that to point to my wan IP..

Notice the states at the end - my pc hitting my wan IP on port 44443, which is then proxied to my nas at 192.168.9.10 on port 44443 from my pfsense lan IP 192.168.9.253

You can see on the connection info for the https connection, that it shows that site CA was just one of my pfsense CAs that I named home, the cert I used I had created for different CN and SANS - which is why browser throws up a warning. Because that info is not matching with where I went.. But the cert is still valid and the service is using it.

viragomann

@Victor-6 said in HAProxy TCP Mode SSL Offloading NOT WORK:

When I try to connect in the mode you tell me it does not work and I explain in detail

If you check "SSL offloading" the frontend listening section you get an SSL offloading section at the bottom, where you have to select the proper SSL certificate.
Did you do this? Your screens don't show.

Victor 6

@johnpoz
question and to clarify

the ssl certificate you load it in the backend ( in the option where it says Encrypt(SSL)) or not

or I have to create a certificate inside my synology nas for the drive server port ? and if so and if I have some synology will not be cumbersome to create certificate for one and should not control haproxy ?

do you know if OPNsense is possible?

johnpoz

@Victor-6 huh? I have no idea what that other distro does or doesn't do - but pretty sure this is a limitation of haproxy..

You can either pass through the traffic with tcp mode and let the cert on the destination do its thing. Or you can do ssl offload and load the cert in haproxy, you could either talk to the backend in the clear, or you can also do a cert there, but if your going to go that route then haproxy would have to trust that cert you have on the destination.

You can for sure use acme on synology. But I think your problem is you don't even know what your trying to do..

Victor 6

@johnpoz
first thank you for your help

second it is clear what I want to do for something I made a graph or you can check in the part above.

second
you are clear that the port that you use synology drive?? the desktop applications

you gave me an example that is the same thing I do and that is not the problem.

have you tried with your mac or windows desktop applications to connect that way?

I have used the ssl offload on both the front and back end and it does not work.

or what would be the configuration that allows a synology user desktop application to connect to my NAS?

I have used the ssl offload on both the front and back end and it does not work.

Translated with DeepL.com (free version)

Victor 6

@johnpoz

johnpoz

@Victor-6 ok maybe I am lost in what exactly your wanting to accomplish - but this took all of 2 minutes to setup

I created a frontend, tcp - pointed it to my backend, no health check..

Installed the drive client - pointed it to my wan IP so haproxy would see it, and gave me a warning about the cert.. Because its a local cert and clicked ok and away it goes. I added some file in my folder and they got sync'd to my nas

Why does this not work for you? If you want to have a cert that your client trusts then put one on the nas.. What does it matter if the cert is legit or not legit? Its a one time click through to have the client trust it.. And there you go - the traffic is encrypted and sync

Not understanding the use case here.. Why would you want/need haproxy to do ssl offloading? Just put a trusted cert on your nas if you do not want the "ONE" time warning?

Victor 6

@johnpoz
I totally appreciate your help just as many here, what you express in your graphs is what I already did above and many people have done.
What I was even mentioning in the graphic is that I DO NOT WANT MY NAS SYNOLOGY TO HANDLE THAT, I WANT PFSENSE TO HANDLE THAT INSTEAD OF MY NAS SYNOLOGY.
I explained all the steps you shared with me in what is found in forums and so on
but the big question and how should be the configuration is:
HOW CAN I MAKE MY PFSENSE MANAGE THE CERTIFICATE INSTEAD OF MY SYNOLOGY, that is the million question.
how to configure it to be pfsense that handles that and what is the correct configuration to make use of certificates that are in pfsense and not in synology

johnpoz

@Victor-6 said in HAProxy TCP Mode SSL Offloading NOT WORK:

I DO NOT WANT MY NAS SYNOLOGY TO HANDLE THAT, I WANT PFSENSE TO HANDLE THAT INSTEAD OF MY NAS SYNOLOGY.

And its not going to work that way.. Talk to synology about their application.

Why is the question.. You can just use the default synology cert, a simple port forward or let haproxy proxy it.. Your just causing yourself grief trying to get something to work that serves no actual purpose.. You setup the application, and click trust this cert - ONE TIME!! There is no extra security... Your trying to jump through a bunch of hoops and configure this, and configure that when its a 1 minute click here and your good.

For ssl offload to work, the bankend has to be http based not just tcp.. that is not how this application works.. So no you can't do ssl offload on haproxy.. But again your just doing work for no benefit..

Victor 6

@johnpoz
so practically if or if I have to install the certificate on my nas synology
I handle some networking, but the truth is super weird to believe that there is no possibility that a firewall can not be configured in some existing way so that in tcp load the certificate
because in many forums people want pfsense/haproxy to take care of this, not the nas (for the same reason they don't want to install the certificate on their nas).
I hope to find someday the solution or the firewall or the steps to allow it to somehow load the certificate and not the equipment (nas synology).

you would know how to configure to do it pfsense/haproxy or you really do not know (that's why you give me the simplest option that is repeated in all places)