One host not using SSL

Help!
1

Hi,

I have HAProxy setup with our exchange server and then one website behind working well all with letsencrypt ssl’s.

I have tried to add another web host which does connect, but the SSL is not working and only connect via HTTP. I have port 80 force to SSL and I have added the domain to my let’s encrypt certificate but when I connect to that domain via SSL, it seems to pass through the SSL rather than terminating at the HAProxy because the certificate is the self signed from the site.

The host that is not working in my config is the ovenmon, the workflow and exchange and auto hosts all work OK and give SSL.

Any suggestions as to what I have done wrong, it appears the same as the other setups but I can’t work out what’s missing?

Config Below:

2

global
log 127.0.0.1 local1 debug
chroot /var/lib/haproxy
stats socket /var/lib/haproxy/stats mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
ssl-server-verify none

crt-base /etc/pki/tls/certs
ca-base /etc/pki/tls/certs

Default ciphers to use on SSL-enabled listening sockets.

For more information, see ciphers(1SSL). This list is from:

https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
option http-keep-alive
option prefer-last-server
option accept-invalid-http-request
option forwardfor
no option httpclose
no option http-server-close
no option forceclose
no option http-tunnel
balance leastconn
default-server inter 3s rise 2 fall 3
timeout client 600s
timeout http-request 10s
timeout connect 4s
timeout server 60s

#################### FRONTEND HTTP

frontend ft_default_http
bind *:80 name http
mode http

option httplog

redirect all other trafic to https

redirect scheme https code 301 if !{ ssl_fc }

################## FRONEND HTTPS

frontend ft_default_https
bind *:443 name https ssl crt /etc/haproxy/ssl/domains.pem

capture request header Host len 32
capture request header User-Agent len 64
capture response header Content-Length len 10

# Test URI to see if its a letsencrypt request
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl

log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id]}\ “%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\ HTTP/1.1”

option socket-stats
maxconn 2000

############### DOMAIN ACLS

acl ssl_connection ssl_fc
acl host_mail hdr(Host) -i domain
acl host_workflow hdr(Host) -i domain
acl host_auto hdr(Host) -i domain
acl host_ovenmon hdr(Host) -i domain

############### PATH ACLS

acl path_slash path /
acl path_autodiscover path_beg -i /Autodiscover/Autodiscover.xml
acl path_autodiscover path_beg -i /autodiscover/autodiscover.xml
acl path_activesync path_beg -i /Microsoft-Server-ActiveSync
acl path_ews path_beg -i /ews/
acl path_owa path_beg -i /owa/
acl path_oa path_beg -i /rpc/rpcproxy.dll
acl path_ecp path_beg -i /ecp/
acl path_oab path_beg -i /OAB/
acl path_mapi path_beg -i /mapi/
acl path_check path_end -i HealthCheck.htm

http-request deny if path_check
http-request redirect scheme https code 302 unless ssl_connection
http-request redirect scheme https code 301 if !{ ssl_fc }
http-request redirect location /owa/ code 302 if path_slash host_mail

############## BACKEND REDIRECTIONS

use_backend bk_exchange_https_autodiscover if path_autodiscover
use_backend bk_exchange_https_activesync if path_activesync
use_backend bk_exchange_https_ews if path_ews
use_backend bk_exchange_https_owa if path_owa
use_backend bk_exchange_https_oa if path_oa
use_backend bk_exchange_https_ecp if path_ecp
use_backend bk_exchange_https_oab if path_oab
use_backend bk_exchange_https_mapi if path_mapi

use_backend bk_workflow if host_workflow
use_backend bk_auto if host_auto
use_backend bk_ovenmon if host_ovenmon

default_backend bk_exchange_https_default

############## EXCHANGE BACKENDS

backend bk_exchange_https_activesync
http-check expect string 200\ OK
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_autodiscover
http-check expect string 200\ OK
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_ecp
http-check expect string 200\ OK
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_ews
http-check expect string 200\ OK
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_mapi
http-check expect string 200\ OK
timeout server 600s
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_oab
http-check expect string 200\ OK
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_oa
http-check expect string 200\ OK
timeout server 600s
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_owa
http-check expect string 200\ OK
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check

backend bk_exchange_https_default
timeout server 60s
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check

backend bk_auto
timeout server 60s
server mail1 10.0.2.252:443 ssl verify none maxconn 1000 weight 10 check

################ BACKEND WORKFLOW

backend bk_workflow
mode http
balance roundrobin
option forwardfor
server serverwf 10.0.2.230:80 check
reqrep ^GET\ /(.*) GET\ /SWS/\1

############### LETSENCRYPT BACKEND

backend letsencrypt-backend
server letsencrypt 127.0.0.1:8888

############## OVENS BACKEND

backend bk_ovenmon
mode http
option forwardfor
server serverovens 10.0.1.86:443 ssl verify none maxconn 1000 check

############## STATS CONFIG

listen stats # Define a listen section called “stats”
bind :9000 # Listen on localhost:9000
mode http
stats enable # Enable stats page
stats hide-version # Hide HAProxy version
stats realm Haproxy\ Statistics # Title text for popup window
stats uri /haproxy_stats # Stats URI
stats auth statsadmin:Tyr33Pr0xySt4ts # Authentication credentials

3

are you using separate domains for your sites? If so, are you using a wildcard cert? If not, you’ll need to add the other certs to your config.

4

I’m not using a wildcard, I just added the new domain to the existing certificate with the extend command for the lets encrypt SSL cert.

5

did you recreate your pem? is there a reason why you have broken down all your exchange services? just curious, as you could greatly simplify your config file if you only have one exchange server backend!

6

I believe I did, but I just ran it again.

With the exchange servers, I had trouble getting it going so I copies another config from the forums that worked and I haven’t cleaned it up yet.

What I don’t understand is why when I type the address into a browser it’s not even redirecting to https, even though the config has the force https and it works for other sites not the ovenmon site?

7

will it connect to the back end without ssl if you configure it to do so? if so, than the issue is likely the cert. If not, then you likely have an issue with your matching acl.

8

it connects to the backend without ssl even though I have configured it not too.

So you think that it’s the SSL certificate on the HAProxy server?