HAProxy community

[SOLVED] One IP, fistful of domains, pack of subdomains and HAProxy in front of it


#1

Good day, friends.

Almost all in the title.
How to configure my little zoo of, say, containers to work correctly behind one proxy? I have a separate certificate for every subdomain of every domain; I do not plan to use plain HTTP, only HTTPS; I do not plan to terminate SSL on the proxy, so I need SNI.

Where I can find some working example of the config file for my case or at least base to start and to ask question(s) about it? I tried some variants from the various examples I found, but all they did not work as expected.

Thank you in advance.


#2

The front and backend needs to be in TCP mode, you match a TLS session with TCP content rules and then you match the SNI field in it:

 frontend https-in
    mode tcp
    bind :443
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    use_backend backend1 if { req_ssl_sni -i test1.example.org }
    use_backend backend2 if { req_ssl_sni -i test2.example.org }
    use_backend backend3 if { req_ssl_sni -i test3.example.org }

Always take care that your certificates don’t overlap with each other, otherwise the browser will reuse existing TLS sessions for what is allowed by the certificate.


#3

Hello!
Thank you for your response.

I see in haproxy.log these repetitive lines (10 per one connection attempt, port number increases):
Oct 30 19:39:59 scorry haproxy[18943]: XX.XX.XX.XX:34152 [30/Oct/2018:19:39:59.229] https-in~ https-in/<NOSRV> -1/-1/729 0 SC 1/1/0/0/0 0/0
For the sake of clarity, I deleted all the pem files instead of one, but it didn’t change anything.
And sites are accessible from LAN over HTTPS, so certs/webserver part seems working good.


#4

That means the server is unreachable. Can you share the config?


#5

Yes, here it is.


#6

Ok, from the haproxy instance, try curl against this backend server and provide the output:

curl -vk https://192.168.0.55/

#7

Yep, that it.


#8

Well it looks like haproxy is unable to access while curl can reach those backend servers just fine.

I suggest you run haproxy through strace -tt for a short period of time while you reproduce it. That output will show what exactly the systemcall’s return. I assume that there is at the system level intervening, like selinux or something like that.


#9

OK, thank you again.

I reproduced it. Command line was:
strace -tt haproxy -f /etc/haproxy/haproxy.cfg -d &> haproxy_strace.log

Result here.
I opened in Firefox one domain, https version of it, subdomain_1, https://subdomain_1, subdomain_2, and https://subdomain_2.

BTW, http portion of haproxy config works well.


#10

Ok, I found an issue in your configuration that I did not see at first:

You configured the https frontend with TLS termination (ssl crt /var/lib/haproxy/private/ after the bind :443), which means haproxy decrypts TLS here. But you are then passing everything as is to port 443 on your backends, without re-encryption (so you are sending plaintext HTTP to a HTTPS port).

You can either:

  • keep terminating TLS on haproxy, but send cleartext traffic to port 80 of your backend servers (just reuse the plaintext backends you already have for http)
  • keep terminating TLS on haproxy, but re-encrypt TLS vs your backends (add ssl and ca-file options to your servers)
  • just passthrough TCP port 443 without terminating it (just drop ssl crt /var/lib/haproxy/private/ from your bind line)

#11

Thank you very, VERY much.
All is working as expected!


#12

really glad you guys have found help. wondering if it would work for me. may i come back with questions in case there’s something that goes wrong? or i might update the good news if it happens. thanks.


#13

thanks for sharing. hopefully it will work for me too