Hi, I’m trying to share a TCP/443 port with HTTPS webservers and an SSTP server.
I tried stuff like:
acl SSTP method SSTP_DUPLEX_POST
use_backend SSTPServer if SSTP
But it’s not working - the SSTP client disconnects very quickly after the logon attempt (which seems similar to what happens when there isn’t any of this SSTP config stuff).
I’m basing this from Microsoft’s docs: 4.3 SSTP Layer Establishment.
Is the SSTP_DUPLEX_POST method or large content-length (18446744073709551615) causing problems with HAProxy and there needs to be additional stuff to get HAProxy to allow/ignore it?
HTTPS is encrypted. That means you cannot access it’s contents, unless you decrypt it first.
You may be able to make routing decisions based on the SNI value in the SSL handshake, this could work if the hostnames are all different and the certificates do not overlap.
HTTPS is encrypted. That means you cannot access it’s contents, unless you decrypt it first.
I may not be able to but HAProxy should since it usually decrypts the stuff. Otherwise how can HAProxy see the methods, hostnames, paths and other stuff supplied by the client?
My understanding of PR-- and NOSRV means the 400 is the proxy’s decision not the backend (and there’s no traffic to the backend)…
So my guess is HAProxy doesn’t like the request for some reason and says it’s an invalid request. Is there a way to get HAProxy to accept that request? Add SSTP_DUPLEX_POST to an allowed method, ignore/accept the 18446744073709551615 Content-Length?
After doing some tests with openssl s_client it seems that HAProxy will talk to the backend if the method is SSTP_DUPLEX_POST AND the content-length is omitted or the content-length is a small enough number. But HAProxy will not talk to the backend if the Content-Length is 18446744073709551615.
However the Content-Length has to be 18446744073709551615 for SSTP. Any suggestions on getting HAProxy to work with or ignore and pass through such a Content-Length?
Not sure what you are doing with openssl s_client. What I mean is that you need to configure haproxy to intercept SSL, by installing a SSL certificate on haproxy. Reencrypt in the backend section if necessary.
Then haproxy needs to be in TCP mode, because SSTP is not HTTP (that’s why you see PR, it means invalid HTTP syntax).
You should be able to make a routing decision based on ACL’s like HTTP.
The limit appears to be 9223372036854775807 is there a way for me to increase/bypass the Content-Length limit for HAProxy so it accepts 18446744073709551615?
Basically I created a TLS/TCP front end that checks the TCP request, if it matches SSTP_DUPLEX_POST then use the SSTP backend. If it doesn’t match then use the “normal” HAProxy frontend for websites.
I suspect it would also work (and work better) if HAProxy has an option to ignore or accept a Content-Length of 18446744073709551615.
I’m trying to do the same thing but it doesn’t work. all requests are sent to the default backend. Did you perform an ssl offloading to decrypt on frontend and re-encrypt on the backend server before you are able to route SSTP request?
I’m using haproxy on pfsense and I had to set a custom acl… in the config file I can find this:
frontend FrontendTCP-Agenzia
bind 10.3.5.35:443 name 10.3.5.35:443
bind /tmp/haproxy_chroot/FrontendTCP-Agenzia.socket name unixsocket uid 80 accept-proxy
mode tcp
log global
timeout client 360000
tcp-request inspect-delay 100ms
tcp-request content capture req.payload(0,16) len 16
acl SSTP req.payload(0,16) -m str SSTP_DUPLEX_POST
use_backend SSTPSERVER_ipvANY if SSTP
default_backend WAPSERVER_ipvANY