Ssl certificate verify on specific domain with SNI

Help!
1

Hi,

i am on haproxy 1.7.5 (debian) and try to setup what is mentioned here:
"how-to-set-ssl-verify-client-for-specific-domain-name"
my haproxy is located behind a firewall and requests are NATed

i’d like to have some users that are not in the networks_allowed list, to present a certificate.
others should be routed without certificate.

but on loading the page, firefox complains about SSL_ERROR_RX_RECORD_TOO_LONG
and the logs show:

x.x.x.x:50741 [04/Oct/2017:14:32:17.145] https_tcp_443 https_tcp_443/ -1/-1/0 188 PR 0/0/0/0/0 0/0
x.x.x.x:50740 [04/Oct/2017:14:32:17.146] https_tcp_443 https_tcp_443/ -1/-1/0 188 PR 0/0/0/0/0 0/0
x.x.x.x:50743 [04/Oct/2017:14:32:19.704] https_tcp_443 https_tcp_443/ -1/-1/0 188 PR 0/0/0/0/0 0/0

which looks like some backend is not found or a condition not met…

my config is as follows:

global
  log 127.0.0.1:514 local0 info
  chroot /var/lib/haproxy
  user haproxy
  group haproxy
  daemon
  maxconn 2048
  tune.ssl.default-dh-param 2048
  ssl-dh-param-file /etc/haproxy/dhparams.pem

  ca-base /etc/ssl/certs
  crt-base /etc/ssl/private
  ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-default-bind-options no-sslv3 no-tls-tickets
  ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-default-server-options no-sslv3 no-tls-tickets

defaults
  log global
  mode http
  balance roundrobin
  option httplog
  option dontlognull
  option forwardfor
  option http-server-close
  timeout connect 5000
  timeout client  50000
  timeout server  50000
  errorfile 400 /etc/haproxy/errors/400.http
  errorfile 403 /etc/haproxy/errors/403.http
  errorfile 408 /etc/haproxy/errors/408.http
  errorfile 500 /etc/haproxy/errors/500.http
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http
  errorfile 504 /etc/haproxy/errors/504.http

frontend http_80
  mode http
  bind :80
  timeout http-request 5s
  
  acl acl_letsencrypt_http path_beg /.well-known/acme-challenge/
  use_backend backend_letsencrypt if acl_letsencrypt_http

  acl acl_dx hdr(host) -i dx.domain.com
  acl acl_manikin hdr(host) -i manikin.domain.com
  acl acl_publish hdr(host) -i publish.domain.com
  acl acl_publish-edeka hdr(host) -i publish-edeka.domain.com
  acl acl_zws hdr(host) -i zws.domain.com
  acl acl_easyjob hdr(host) -i easyjob.domain.com
  
  # Define a rule to detect SSL
  acl acl_hasSSL ssl_fc

  # Use rule acl_hasSSL to detect SSL and if not redirect to https
  redirect scheme https if !acl_hasSSL acl_zws !acl_letsencrypt_http
  redirect scheme https if !acl_hasSSL acl_easyjob !acl_letsencrypt_http
  redirect scheme https if !acl_hasSSL acl_dx !acl_letsencrypt_http
  redirect scheme https if !acl_hasSSL acl_manikin !acl_letsencrypt_http
  redirect scheme https if !acl_hasSSL acl_publish-edeka !acl_letsencrypt_http

  # Define non-SSL hosts that should be directed to their backend directly
  use_backend backend_publish if acl_publish

# intermediate frontend to handle client certificates when "verifiy required" externally
frontend https_tcp_443
  bind :443
  option tcplog
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }

  acl networks_allowed src 192.168.124.0/24 192.168.126.0/24 192.168.127.0/24 192.168.223.0/24 192.168.224.0/24 172.20.3.0/24 172.20.4.0/22 172.20.8.0/22

  use_backend loop_clientcertenabled if { req_ssl_sni -i zws.domain.com or req_ssl_sni -i zws.domain.com } !networks_allowed
  default_backend loop_default

backend loop_clientcertenabled
  server loopback-for-tls abns@ssl_clientcert send-proxy-v2
backend loop_default
  server loopback-for-tls abns@ssl_default send-proxy-v2

frontend https_443_clientcert
  mode http
  bind abns@ssl_clientcert accept-proxy crt-list /etc/haproxy/certmappings.list ssl verify required ca-file /etc/haproxy/cacert.pem
  http-response set-header Strict-Transport-Security max-age=15768000
  
  # act definition to base check if user provided a certificate
  acl has_cert ssl_fc_has_crt

  # acl definition to check expiry of certificate
  acl valid_cert_expired ssl_c_verify 10

  use_backend backend_zws if { req_ssl_sni -i zws.domain.com } has_cert !valid_cert_expired
  use_backend backend_easyjob if { req_ssl_sni -i easyjob.domain.com } has_cert !valid_cert_expired

frontend https_443_default
  mode http
  bind abns@ssl_default accept-proxy crt-list /etc/haproxy/certmappings.list ssl
  http-response set-header Strict-Transport-Security max-age=15768000

  # define backends and conditionals
  use_backend backend_dx if { ssl_fc_sni dx.domain.com }
  use_backend backend_manikin if { ssl_fc_sni manikin.domain.com }
  use_backend backend_publish if { ssl_fc_sni publish.domain.com }
  use_backend backend_publish-edeka if { ssl_fc_sni publish-edeka.domain.com }
  use_backend backend_zws if { ssl_fc_sni zws.domain.com }
  use_backend backend_easyjob if { ssl_fc_sni easyjob.domain.com }

backend backend_letsencrypt
  mode http
  server localhost 127.0.0.1:8080

backend backend_dx
  mode http
  server dx 192.168.99.4:80

backend backend_manikin
  mode http
  server manikin-srv 172.20.4.255:80

backend backend_publish-edeka
  mode http
  server publish-edeka 192.168.99.32:80

backend backend_zws
  mode http
  server zws 192.168.99.9:80

backend backend_easyjob
  mode http
  server easyjob 172.20.3.26:80

any help is greatly appreciated

2

What warnings do you see when haproxy is starting? It is very important to consider those warnings.

I would first of all remove “mode http” from the default section, as that has a negative impact on “frontend https_tcp_443”. In fact, what PR in your log line means is:

 PR   The proxy blocked the client's HTTP request, either because of an
      invalid HTTP syntax [...]

This means, haproxy is trying to parse HTTP here, instead of considering this TCP only. Which is why you need to remove “mode http” from the default section (or set “mode tcp” in this frontend).

3

changed the default http mode (removed) and those backends that are not part of the certificate verification do work now. thanks.
but those in the backend “loop_clientcertenabled” throw a 503:

https_443_clientcert~ https_443_clientcert/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 21/0/0/0/0 0/0 "GET / HTTP/1.1"
x.x.x.x:50838 [04/Oct/2017:20:43:18.749] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/36 410 -- 20/10/0/0/0 0/0

the docs say that the tcp connection is explicitly refused by the backend. it does this when i access it via:

use_backend loop_clientcertenabled if { req_ssl_sni -i zws.domain.com or req_ssl_sni -i easyjob.domain.com } !networks_allowed
(which had a typo and should be zws.domain.com or easyjob.domain.com)

it works when accessed via backend loop_default.
the backend is the same, so i assume there is a problem with certificate validation?

4

Start with a less complicated configuration in “frontend https_443_clientcert”, because client certificate verification is complex enough. Don’t use this for production of course.

  • use a default_backend in that frontend, to exclude the ACLs
  • use “ca-ignore-err all” [1] on the bind line (for troubleshooting)
  • important: make sure you have dedicated certificate for the domains with client validation, because if they have overlapping SANs (or simple are just one certificate), SNI routing won’t work correctly (if a certificate contains a number of SANs, a browser will assume it can reach all SAN domains over the same TLS connections, but SNI routing only occurs in the beginning with the client_hello, breaking the assumption that the browser will use the current TLS session for specific hostnames/SNI’s only)
5

ok, managed to get it running until login of the application
the tcp frontend https_tcp_443 uses:

use_backend loop_clientcertenabled if { req_ssl_sni -i zws.domain.com or req_ssl_sni -i easyjob.domain.com } !networks_allowed

with req_ssl_sni -i to route via SNI

the http frontend https_443_clientcert now uses:
use_backend backend_zws if { ssl_fc_sni zws.domain.com } has_cert !valid_cert_expired
ssl_fc_sni seems to make a difference

but sill my application throws SC and 503 when clicking something.
the logs (from entering https://zws.domain.com, presenting client cert, log in and at last click something)

x.x.x.x:51106 [04/Oct/2017:23:02:00.034] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/+0 +0 -- 10/5/1/1/0 0/0
x.x.x.x:51106 [04/Oct/2017:23:02:02.327] https_443_clientcert~ backend_zws/zws 0/0/1/0/1 200 781 - - --NN 10/1/0/1/0 0/0 "GET / HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:02.404] https_443_clientcert~ backend_zws/zws 0/0/0/1/2 200 158384 - - --NN 10/1/0/0/0 0/0 "GET /atosscsd_logo_de.jpg HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:03.530] https_443_clientcert~ backend_zws/zws 0/0/0/1/1 200 2084 - - --NR 10/1/0/0/0 0/0 "GET /atc/client HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:04.136] https_443_clientcert~ backend_zws/zws 0/0/0/115/115 200 4815 - - --VN 10/1/0/0/0 0/0 "POST /atc/client;jsessionid=1sa145ldx0bi32iyqz1scf8tk HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:07.069] https_443_clientcert~ backend_zws/zws 0/0/1/1/2 200 213 - - --VN 10/1/0/1/0 0/0 "POST /atc/client;jsessionid=1sa145ldx0bi32iyqz1scf8tk?cid=308e2876 HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:07.557] https_443_clientcert~ backend_zws/zws 0/0/0/1/1 200 184 - - --VN 10/1/0/0/0 0/0 "POST /atc/client;jsessionid=1sa145ldx0bi32iyqz1scf8tk?cid=308e2876 HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:10.245] https_443_clientcert~ backend_zws/zws 0/0/0/540/540 200 46070 - - --VN 10/1/0/0/0 0/0 "POST /atc/client;jsessionid=1sa145ldx0bi32iyqz1scf8tk?cid=308e2876 HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:12.067] https_443_clientcert~ backend_zws/zws 0/0/1/0/1 200 888 - - --VN 10/1/0/0/0 0/0 "GET /atc/rwt-resources/generated/f0f2164a.png HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:12.083] https_443_clientcert~ backend_zws/zws 0/0/0/1/1 200 1307 - - --VN 10/1/0/1/0 0/0 "GET /atc/rwt-resources/themes/images/541d109a.gif HTTP/1.1"
x.x.x.x:51111 [04/Oct/2017:23:02:12.086] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/+0 +0 -- 14/7/3/3/0 0/0
x.x.x.x:51107 [04/Oct/2017:23:02:12.086] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/+0 +0 -- 14/7/3/3/0 0/0
x.x.x.x:51109 [04/Oct/2017:23:02:12.088] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/+0 +0 -- 16/8/4/4/0 0/0
x.x.x.x:51110 [04/Oct/2017:23:02:12.090] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/+0 +0 -- 19/10/5/5/0 0/0
x.x.x.x:51108 [04/Oct/2017:23:02:12.090] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/+0 +0 -- 20/10/6/6/0 0/0
x.x.x.x:51106 [04/Oct/2017:23:02:12.099] https_443_clientcert~ backend_zws/zws 0/0/0/0/0 200 432 - - --VN 20/6/0/0/0 0/0 "GET /atc/rwt-resources/generated/4112fa58.gif HTTP/1.1"
x.x.x.x:51111 [04/Oct/2017:23:02:12.103] https_443_clientcert~ https_443_clientcert/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 19/5/0/0/0 0/0 "GET /atc/rwt-resources/generated/869c330b.png HTTP/1.1"
x.x.x.x:51107 [04/Oct/2017:23:02:12.104] https_443_clientcert~ https_443_clientcert/<NOSRV> -1/-1/-1/-1/1 503 213 - - SC-- 18/4/0/0/0 0/0 "GET /atc/rwt-resources/generated/8a6937ee.png HTTP/1.1"
x.x.x.x:51109 [04/Oct/2017:23:02:12.105] https_443_clientcert~ https_443_clientcert/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 17/3/0/0/0 0/0 "GET /atc/rwt-resources/generated/63c4e2a3.png HTTP/1.1"
x.x.x.x:51110 [04/Oct/2017:23:02:12.107] https_443_clientcert~ https_443_clientcert/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 16/2/0/0/0 0/0 "GET /atc/rwt-resources/generated/57340c0d.gif HTTP/1.1"
x.x.x.x:51108 [04/Oct/2017:23:02:12.108] https_443_clientcert~ https_443_clientcert/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 15/1/0/0/0 0/0 "GET /atc/rwt-resources/generated/8566bc58.gif HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:12.115] https_443_clientcert~ backend_zws/zws 0/0/0/0/0 200 577 - - --VN 15/1/0/1/0 0/0 "GET /atc/rwt-resources/generated/284faef4.gif HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:12.131] https_443_clientcert~ backend_zws/zws 0/0/0/0/0 200 3084 - - --VN 10/1/0/0/0 0/0 "GET /atc/rwt-resources/themes/images/afa52be2.png HTTP/1.1"
x.x.x.x:51114 [04/Oct/2017:23:02:12.137] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/+0 +0 -- 12/6/2/2/0 0/0
x.x.x.x:51113 [04/Oct/2017:23:02:12.139] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/+0 +0 -- 14/7/3/3/0 0/0
x.x.x.x:51112 [04/Oct/2017:23:02:12.140] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/+0 +0 -- 16/8/4/4/0 0/0
x.x.x.x:51115 [04/Oct/2017:23:02:12.141] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/+0 +0 -- 18/9/5/5/0 0/0
x.x.x.x:51116 [04/Oct/2017:23:02:12.147] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/+0 +0 -- 20/10/6/6/0 0/0
x.x.x.x:51106 [04/Oct/2017:23:02:12.147] https_443_clientcert~ backend_zws/zws 0/0/0/1/1 200 368 - - --VN 20/6/0/1/0 0/0 "GET /atc/rwt-resources/generated/6a55429.gif HTTP/1.1"
x.x.x.x:51114 [04/Oct/2017:23:02:12.152] https_443_clientcert~ https_443_clientcert/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 19/5/0/0/0 0/0 "GET /atc/rwt-resources/generated/5461c8ae.gif HTTP/1.1"
x.x.x.x:51113 [04/Oct/2017:23:02:12.157] https_443_clientcert~ https_443_clientcert/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 18/4/0/0/0 0/0 "GET /atc/rwt-resources/generated/be6b0ab3.gif HTTP/1.1"
x.x.x.x:51115 [04/Oct/2017:23:02:12.158] https_443_clientcert~ https_443_clientcert/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 17/3/0/0/0 0/0 "GET /atc/rwt-resources/themes/images/ae8b4acf.png HTTP/1.1"
x.x.x.x:51112 [04/Oct/2017:23:02:12.159] https_443_clientcert~ https_443_clientcert/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 16/2/0/0/0 0/0 "GET /atc/rwt-resources/generated/a26185ab.png HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:12.163] https_443_clientcert~ backend_zws/zws 0/0/0/1/1 200 3123 - - --VN 16/2/0/1/0 0/0 "GET /atc/rwt-resources/themes/images/83e5081f.png HTTP/1.1"
x.x.x.x:51116 [04/Oct/2017:23:02:12.165] https_443_clientcert~ https_443_clientcert/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 15/1/0/0/0 0/0 "GET /atc/rwt-resources/themes/images/c1d64071.png HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:12.180] https_443_clientcert~ backend_zws/zws 0/0/0/0/0 200 271 - - --VN 11/1/0/0/0 0/0 "GET /atc/rwt-resources/resource/widget/rap/ctabfolder/minimize.gif HTTP/1.1"
x.x.x.x:51117 [04/Oct/2017:23:02:12.188] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/+0 +0 -- 12/6/2/2/0 0/0
x.x.x.x:51118 [04/Oct/2017:23:02:12.192] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/+0 +0 -- 14/7/3/3/0 0/0
x.x.x.x:51119 [04/Oct/2017:23:02:12.197] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/+0 +0 -- 16/8/4/4/0 0/0
x.x.x.x:51117 [04/Oct/2017:23:02:12.206] https_443_clientcert~ https_443_clientcert/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 15/3/0/0/0 0/0 "GET /atc/rwt-resources/generated/ac2f4bf2.png HTTP/1.1"
x.x.x.x:51118 [04/Oct/2017:23:02:12.210] https_443_clientcert~ https_443_clientcert/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 14/2/0/0/0 0/0 "GET /atc/rwt-resources/generated/942217c8.png HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:12.230] https_443_clientcert~ backend_zws/zws 0/0/1/0/1 200 219 - - --VN 12/2/0/1/0 0/0 "GET /atc/client;jsessionid=1sa145ldx0bi32iyqz1scf8tk?servicehandler=org.eclipse.rap.serverpush&cid=308e2876 HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:12.262] https_443_clientcert~ backend_zws/zws 0/0/0/5/5 200 457 - - --VN 12/2/0/0/0 0/0 "POST /atc/client;jsessionid=1sa145ldx0bi32iyqz1scf8tk?cid=308e2876 HTTP/1.1"
x.x.x.x:51119 [04/Oct/2017:23:02:12.313] https_443_clientcert~ https_443_clientcert/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 11/1/0/0/0 0/0 "GET /atc/rwt-resources/generated/8a00b871.gif HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:12.305] https_443_clientcert~ backend_zws/zws 0/0/1/109/110 200 219 - - --VN 10/1/0/0/0 0/0 "GET /atc/client;jsessionid=1sa145ldx0bi32iyqz1scf8tk?servicehandler=org.eclipse.rap.serverpush&cid=308e2876 HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:12.436] https_443_clientcert~ backend_zws/zws 0/0/0/3/3 200 255 - - --VN 10/1/0/0/0 0/0 "POST /atc/client;jsessionid=1sa145ldx0bi32iyqz1scf8tk?cid=308e2876 HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:12.461] https_443_clientcert~ backend_zws/zws 0/0/0/254/254 200 219 - - --VN 10/1/0/0/0 0/0 "GET /atc/client;jsessionid=1sa145ldx0bi32iyqz1scf8tk?servicehandler=org.eclipse.rap.serverpush&cid=308e2876 HTTP/1.1"
x.x.x.x:51106 [04/Oct/2017:23:02:12.735] https_443_clientcert~ backend_zws/zws 0/0/1/3/4 200 184 - - --VN 10/1/0/0/0 0/0 "POST /atc/client;jsessionid=1sa145ldx0bi32iyqz1scf8tk?cid=308e2876 HTTP/1.1"
x.x.x.x:51120 [04/Oct/2017:23:02:14.374] https_tcp_443 loop_clientcertenabled/loopback-for-tls 1/0/+0 +0 -- 12/6/2/2/0 0/0
x.x.x.x:51120 [04/Oct/2017:23:02:14.392] https_443_clientcert~ https_443_clientcert/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 11/1/0/0/0 0/0 "POST /atc/client;jsessionid=1sa145ldx0bi32iyqz1scf8tk?cid=308e2876 HTTP/1.1"

now reading your unexpected prompt answer, lukastriebus

6

But could it be something with the sessioncookie (JSESSIONID)?

thanks

7

Right, when terminating/deciphering SSL, you have to use ssl_fc_sni (gets SNI from the OpenSSL API).
When passing it through via TCP mode, you have to use req_ssl_sni (parses SNI in a TCP packet).

Ok, now that we fixed SNI routing, please do retry without use_backend and ACL directives, just with:
default_backend backend_zws

Because while it wasn’t the reason for the previous problem, it may be the reason for the current problem. Like I said, you need to simplify things, get a working configuration, and then you can enable ACL restrictions later. You will be faster that way, and find culprits faster.

8

ok, defined a default_backend backend_zws and commented the ACLs… and it works as expected!
so the culprit is within the ACLs as you already guessed.

i have:

acl has_cert ssl_fc_has_crt
acl valid_cert_expired ssl_c_verify 10
use_backend backend_zws if { ssl_fc_sni zws.domain.com } has_cert !valid_cert_expired
use_backend backend_easyjob if { ssl_fc_sni easyjob.domain.com } has_cert !valid_cert_expired

changed the ssl_fc_sni to hdr(host) -i as i read about this here 'Re: SNI vs hdr(host) ACL' - MARC
also dropped the ACL has_cert as it is of no use here. the negated !valid_cert_expired is working.
would be interesting to know what happened while checking ssl_fc_has_crt as this is the problem!?

et voilà everything seems to work as it should :slight_smile:

thank you very much lukastribus for guidance and patience