SSL error with two domains on one WAN with HAProxy

bastian.cr · Oct 21, 2024, 9:31 AM

Hello,

I encounter a problem that I just cant get behind.

I have a pfsense acting as firewall/router for one fixed WAN ip.

We have an exchange server behind where port 443 is forwarded to, which works fine.
Some subdomains are assigned to this fixed ip address and we have a SSL certificate for these subdomains.

I am thinking about replacing the exchange incl. active directory with something else since M$ is M$.
Therefore I would like to test another system upfront before I replace everything. I can setup another AD since we have another domain as a leftover.
I understand that we need a reverse proxy to select the right server locally, therefore I would like to use HAProxy to handle incoming requests and to forward those to the right backend.

I have assigned both subdomains outlook.domain1 and outlook.domain2 to the WAN ip. Configured HAProxy accordingly and also the firewall.
The config file:

# Automaticaly generated, dont edit manually.
# Generated on: 2024-10-20 14:45
global
	maxconn			1000
	log			/var/run/log	local0	debug
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state
	log /dev/log    local0
	    log /dev/log    local1 notice
	
	defaults
	    log     global
	    option  dontlognull
	    timeout connect 5000ms
	    timeout client  50000ms
	    timeout server  50000ms
	
	# Frontend für HTTP (Port 80)
	frontend http_frontend
	    bind 212.x.x.x:80
	    mode http
	    option httplog
	
	    # Leite basierend auf dem Host-Header zu den Backends
	    acl host_domain1 hdr(host) -i *.domain1.de
	    acl host_domain2 hdr(host) -i *.domain2.de
	
	    use_backend backend_domain1_http if host_domain1
	    use_backend backend_domain2_http if host_domain2
	
	    # Optional: HTTP auf HTTPS umleiten, wenn keine passende Domain gefunden wird
	    redirect scheme https code 301 if !host_domain1 !host_domain2
	
	# Frontend für SSL Pass-Through (Port 443)
	frontend https_frontend
	    bind *:443
	    mode tcp
	    option tcplog
	    tcp-request inspect-delay 5s
	    tcp-request content accept if { req.ssl_hello_type 1 }
	
	    # Leite basierend auf dem SNI-Hostname zu den jeweiligen Backends
	    use_backend backend_domain1_https if { req.ssl_sni -i *.domain1.de }
	    use_backend backend_domain2_https if { req.ssl_sni -i *.domain2.de }
	
	# Backend für Domain 1 (HTTP)
	backend backend_domain1_http
	    mode http
	    server domain1_backend 192.168.2.212:80 check
	
	# Backend für Domain 2 (HTTP)
	backend backend_domain2_http
	    mode http
	    server domain2_backend 192.168.2.208:80 check
	
	# Backend für Domain 1 (HTTPS)
	backend backend_domain1_https
	    mode tcp
	    server domain1_backend 192.168.2.212:443 check
	
	# Backend für Domain 2 (HTTPS)
	backend backend_domain2_https
	    mode tcp
	    server domain2_backend 192.168.2.208:443 check

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

The backend1 is shown as working, backend2 is offline since I have not setup the new services.

If i try to check the connection with curl -vvvkL https://outlook.domain1.de:443 I receive the error message:

  Trying 212.x.x.x:443...
* Connected to outlook.domain1.de (212.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to outlook.domain1.de:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to outlook.domain1.de:443

The HAProxy log says:

Oct 20 14:25:37 pfSense haproxy[39623]: x.x.x.x:54299 [20/Oct/2024:14:25:37.066] https_frontend https_frontend/<NOSRV> -1/-1/9 0 SC 1/1/0/0/0 0/0
Oct 20 14:28:21 pfSense haproxy[39623]: x.x.x.x:44938 [20/Oct/2024:14:28:21.108] http_frontend http_frontend/<NOSRV> 0/-1/-1/-1/0 301 102 - - LR-- 1/1/0/0/0 0/0 "GET / HTTP/1.1"
Oct 20 14:28:21 pfSense haproxy[39623]: x.x.x.x:10848 [20/Oct/2024:14:28:21.136] https_frontend https_frontend/<NOSRV> -1/-1/9 0 SC 2/1/0/0/0 0/0

I have no good idea where to look further? A hint into the right direction would be highly appreciated.

Greetings
Bastian

viragomann · Oct 21, 2024, 5:10 PM

@bastian-cr said in SSL error with two domains on one WAN with HAProxy:

If i try to check the connection with curl -vvvkL https://outlook.domain1.de:443 I receive the error message:

Does the backend server even provide the expeceted SSL certificate matching outlook.domain1.de?

Is the service accessible from pfSense?

bastian.cr · Oct 21, 2024, 6:40 PM

@viragomann
Yes, the host is reachable and the exchange server has the correct certificate.

If I use normal portforwarding without a HAProxy at ports 80+443 from pfsense to the exchange server everything works properly.