Help Please,
We are trying to use one SSL for multiple Ports (443 and 6085) on same instance. Using HAProxy.
We have tried the following configurations:
#This configuration does not work. The server not run. when we Comment out the 6085 configuration the server for 443 delivers its content. #What is the way out? please, such that we could make use of one SSL for two frontends, they they both use same backend.
I already have a SSL certificate, which currently encrypts incoming traffic on port 443 (https://www.domainname.com). We trying to deploy a new monitoring platform for the frontend cache. This platform uses port 6085, which functions properly. No problem. I mean when I open the site (http://www.domainname.com:6085/html) It loads the page normally. But it is not secure, for it cannot be used on https. When we try https it stops, hence it does not make use of SSL.
To resolve this issue, we want to make use of the existing SSL certificate which the HAproxy config points to. To achieve this as well as, not to make use of multiple SSL certificates, on same instance, we trying to use the existing SSL certificate for both webpages solutions (Main site which functions normally and the new cache monitoring solution, such that when we point to port 6085 on the Web, using “https” it serves the same content as it does on http.
Is there anything I am missing. what comes to my mind is is it possible to redirect traffic from port 6085 to 443 in the haproxy configuration? May be this would resolve the issue.
global
log 127.0.0.1 local2 notice
log 127.0.0.1 local3
log-send-hostname
# CA base folder on this system (Redhat)
ca-base /etc/ssl/certs
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# Raising the DH param size from default 1024 to a saver value
tune.ssl.default-dh-param 2048
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 20s
timeout queue 1m
timeout connect 15s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
# This is our client/CDN facing SSL/TLS frontend listening on port 443, providing SSL termination in front of Varnish
frontend for_ssl_clients
log global
# using no-sslv3 to ensure we only support TLS for security reasons http://disablessl3.com/#haproxy
bind *:443 ssl crt /etc/ssl/haproxy.pem no-sslv3 ciphers
default_backend varnish
# The backend is Varnish on port 80
backend varnish
log global
server local_varnish 127.0.0.1:80
# This is the frontend that Varnish will talk to (as its backend)
frontend for_varnish *:8443
log global
default_backend drupal_via_ssl
# The websites backend is running the site via TLS/SSL
backend drupal_via_ssl
log global
server on_prem_live www.domainname.ca:443 maxconn 100 ssl
I have tried adding the following to the configuration above
frontend for_evd
local global
bind *:6085 ssl crt /etc/ssl/haproxy.pem no-sslv3 ciphers
default_backend varnish2
# Using same backend as Varnish and will be reached over local IP address
backend varnish2
log global
server local_varnish 127.0.0.1:80
But it does not work. The main site would not even open, let alone encrypt the secondary site
I’d suggest specifying the bind IP address and port for each instance. For example, this is a working config on one of my servers (different IPs in my case, but different ports should be the same). I also specify all my SSL requirements in one place, to no-sslv3 goes below the cipher list - I just find it easier to read.
Thanks Josh, I have tried doing this earlier, but the main site does not work let alone the SSL encryption on the secondary server. This was the reason I raised the issue.
Well, I can confirm from experience that binding the same cert to two IP’s on two separate frontends uses the same memory as binding it two two IP’s in the same frontend, so if you can get that config working, it may be your best option.
The configuration is working I can run the Main application on port 443, and the secondary application using port 80 to run it on port 6085. I attach the configuration it to this issue, above. The current issue of our main interest lies in encrypting the secondary server with the same SSL certificate. Such that instead of using port 80 to run it on port 6085, we make use of SSL port 443 to run the application on port 6085.
Hi Josh, I solved the problem. All I needed was to create a new port say 9045 as entry in the frontend configuration.
Since the secondary application listens on port 6085, I used this as the backend to the entry of the port. this is where I binded the certificate.
The added configuration is similar to this should any one have this issue in the future.
frontend for_evd
log global
bind 10.0.0.1:9045 ssl crt /etc/ssl/haproxy.pem no-sslv3 ciphers
default_backend varnish2
# The Backend varnish2
backend varnish2
log global
server local_varnish 127.0.0.1:6085