Certificate/SSL termination problem


#1

Hello, experts.
I am configuring haproxy for load balancing between 2 websites. Websites are secured with https self-signed certs only.
I believe I configured haproxy in pass-through mode. For frontend I am using http with redirect, but it is not a requirement.

With my current setup I have to accept certificates with every new session.
It is very annoying. I want to accept certificates only 1 time. Please have a look at my config and suggest what I am doing wrong.
Thank you

#------------------- GLOBAL SETTINGS ---------------------------
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
log 127.0.0.1 local0 debug
maxconn 4096
user haproxy
group haproxy
daemon

# Default SSL material locations
  ca-base /etc/ssl/certs
crt-base /etc/ssl/private
tune.ssl.default-dh-param 4096

defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
timeout http-request 5s
option forwardfor
option http-server-close

            #------------------- FRONTEND HTTP ---------------------------

frontend http_in
mode http
option httplog

   bind *:80
stats enable

acl inter_acl hdr(Host) -i inter.apprenti.com
reqrep ^GET\ /\ HTTP/1.1 ^GET\ /zim-interaction-server-front/\#/call/5746cc51e4b0c2b2ea4be41a/2001\ HTTP/1.1  if inter_acl
redirect scheme https if { hdr(Host) -i inter.apprenti.com } !{ ssl_fc }
            #------------------- FRONTEND TCP ---------------------------

frontend tcp_in
mode tcp
option tcplog
bind *:8444
bind *:8445
bind *:443

   tcp-request inspect-delay 5s
   tcp-request content accept if { req.ssl_hello_type 1 }
    acl inter_acl req.ssl_sni -i inter.apprenti.com
    use_backend special_Interaction if inter_acl

backend special_Interaction
mode tcp
option tcplog
balance roundrobin

# maximum SSL session ID length is 32 bytes.
    stick-table type binary len 32 size 30k expire 30m

    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
   tcp-request inspect-delay 5s
   tcp-request content accept if clienthello

# no timeout on response inspect delay by default.
    tcp-response content accept if serverhello
   
    server Interaction1 172.31.14.158:443 check 
    server Interaction2 172.31.14.156:443 check 

SSL session ID (SSLID) may be present on a client or server hello.

Its length is coded on 1 byte at offset 43 and its value starts

at offset 44. Match and learn on request if client hello.

   stick on payload_lv(43,1) if clienthello

Learn on response if server hello.

    stick store-response payload_lv(43,1) if serverhello

#2

This is because you are using the same IP/DNS name to access the server, but the actual backend system is changing. Your browser see’s this as a changed certificate and shows the error.

Why don’t you just import the self signed certificates into your trust store?


#3

Thank you for your reply. Just to clarify, I should import certificates from backend servers to haproxy trust store? or to my browser?


#4

1.)Export the certificate from the backend server
2.)Import the certificate into the trusted store of any client you wish to avoid errors.

HAProxy does NOT need the certificate