HAProxy community

HAProxy SSL-termination with re-encryption on selfsigned cert?

#1

After 10 hours of debugging i am lost and hope someone get me clarified on this. i read probably several times the right answer or was near “it-works”…

My Setup is Simple:
i got two webservers with self signed certs and there running fine internal

appserver1+nginx+selfsignedcert
app1.localdomain


appserver2+nginx+selfsignedcert
app2.localdomain

to make them reachable over wan i wanted to utilize haproxy (v1.8) with letsencrypt certificates for public web access.

haproxy(1.8)+certbot+letsencryptcerts
ha.localdomain

the following domain certs are created via letsencrypt and stored in ssl folder
app1.public.net
app2.public.net

and from now on it wasnt even once working:
i cant reach a site trough the haproxy address i run either into 503 or connection refused errors. startet to strip and change a lot on my haproxy confg file. this is how it looks now

frontend main
  bind :80
  bind :443 ssl crt /path/to/ssl.pem
  redirect scheme https if !{ ssl_fc }
  acl isapp1 hdr(host) -i app1.public.net
  acl isapp2 hdr(host) -i app2.public.net
  use_backend bapp1 if isapp1
  use_backend bapp2 if isapp2

backend bapp1
  description my shiny app server is so shiny
  server app1 XXX.XXX.XXX.XXX:433 check-ssl ssl verify none
  option http-no-delay
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend bapp2
  description a second shiny tower somewhere between bits and bytes
  server app2 XXX.XXX.XXX.XXX:433 check-ssl ssl verify none
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }

listen haproxy-stats
  bind :8080
  mode http
  option forwardfor
  option httpclose
  stats enable
  stats show-legends
  stats refresh 10s
  stats uri /stats
  stats realm Haproxy\ Statistics
  stats auth someuser:somepassphrase
  stats admin if TRUE

i would love to get some help here what i am missing, dont want to spend another night on it :smiley:

there is also a more to consider: why do i terminate ssl 2x ?
i usually encrypt most of my internal traffic with ssl but brings this re-encryption some drawbacks except to the perfomance impact of ssl?

is there any advance on how ssl termination is done on nginx or haproxy?
something to consider security wise?

i love the idea to manage just a single machine with all certs on it, but since i deploy ssl certs with ansible i dont care that much.

is it maybee better to generete the letsencrypt certs on the backends and let haproxy run in tcp reverse-proxy mode?

a lot of questions for a first post and a happy hello to all the proxy-nerds :wink:

thanks in advance
n1ete