Configuration does not work when tested with openssl without servername


#1

Hi,
I have haproxy running ok for most part, though I have one service which uses ssl and I have problems with it.
When I test it as:
openssl s_client -connect node1.server.com:443 -servername node1.server.com
haproxy redirects correctly returns correct certificate
if tested as
openssl s_client -connect node1.server.com:443
it does not redirect.
Any idea how to fix it?

frontend z-https-in
bind *:443

    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

    use_backend z-zc_01_https_backend  if { req.ssl_sni -i node1.server.com }
    use_backend z-zc_02_https_backend  if { req.ssl_sni -i node2.server.com }

backend z-zc_02_https_backend
mode tcp
server node11 192.168.199.229:443

backend z-zc_01_https_backend
mode tcp
server node4 192.168.199.132:443


#2

Hi augustynr,

Your HAProxy configuration appears perfectly fine to me. The reason your request is not getting redirected when not using the servername option is because you are not passing an SNI as a part of SSL/TLS handshake.
To provide you some context, SNI allows a server to have multiple SSL certificates installed on the same IP address. In that scenario, if you are not providing the hostname of the server during the handshake process, the server wouldn’t know the correct SSL certificate to use for the connection and would instead use the default certificate.

This is exactly what seems to be happening in your case.

When you use the above command, an SSL handshake is performed to establish a secure connection on node1.server.com port 443 and the certificate for node1.server.com , as specified by servername option, is used.

When you use the above command, an SSL handshake is performed to establish secure connection on node1.server.com port 443. But here the default SSL certificate is used as there is is no SNI specified by servername.
This is why the req.ssl_sni directive is unable to retrieve the hostname based on which the redirection has to be performed and thus the acl “req.ssl_sni -i node1.server.com” returns false.

As a solution, i would recommend you to incorporate the use of servername option in the service using the SSL rather than going for a complex HAProxy configuration.

Hope this is helpful !

Thanks
Shivharsh


#3

Shivharsh
Thank you.
I do not have a control of the clients connecting to this service so I am not sure how would I incorporate servername option? Any pointers?
Since that does not seem like a possibility any pointers on how to setup HAProxy to deal with it?
Thank you very much.
robert


#4

Every supported browser on every supported Operating System sends SNI for HTTPS. If you need to support IE6 on Windows XP use cases, then you need to have a dedicated public IP address for each routing decision that you want to take.


#5

Just host your domains on different IP’s, to which HAProxy can bind.


#6

Can these IPs be internal (192.168.1.x)? If so how would I do the binding?
Thanks a lot.


#7

If you have external users, they have to be public IP’s.