HAProxy community

SSL frontend and SSL backends


#1

Hi,

I trying to setup a HTTPS frontend with ACL to HTTPS backends for Ubuntu and RHEL private repositories at our company.

When doing so I get TLS errors on the browsers (NET::ERR_CERT_INVALID)
and when doing apt update I get :

gnutls_handshake() failed: The TLS connection was non-properly terminated.

When I do HTTP frontend and ACL to HTTPS backend it works well.
Server config - The commented parts are the things I tried:

global

    log /dev/log    local1 notice

    chroot /var/lib/haproxy

    stats socket /run/haproxy/admin.sock mode 660 level admin

    stats timeout 30s

    user haproxy

    group haproxy

    daemon



    # Default SSL material locations

    ca-base /etc/ssl/certs

    crt-base /etc/ssl/private



    # Default ciphers to use on SSL-enabled listening sockets.

    # For more information, see ciphers(1SSL). This list is from:

    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

    ssl-default-bind-ciphers

backend ubuntu_be

  #server ubunturepo ubrepo:443 ssl verify none

  server ubunturepo ubrepo:443 ssl verify required ca-file /etc/ssl/certs/ca-certificates.crt

backend redhat_be

  #server redhatrepo rhelepo:443 ssl verify none

  server redhatrepo rhelrepo:443 ssl verify required ca-file /etc/ssl/certs/ca-certificates.crt

frontend linuxrepos

    bind    X.X.X.X:443 ssl crt /etc/ssl/private/certificate.combined

    #bind    X.X.X.X:443

    option http-server-close

    option forwardfor

    reqadd X-forwarded-Proto:\ https

    reqadd X-forwarded-Port:\ 443

    rspadd Strict-Transport-Security:\ max-age=15768000

    default_backend ubuntu_be

    acl ubuntu_path path_beg /ubuntu

    acl redhat_path path_beg /rehel

    use_backend redhat_be if redhat_path

Please Advise,
Tal


#2

You need to have the ssl keyword on both server (backend) lines and bind :443 (frontend) configuration lines.

So in theory the configuration you provided would already be perfectly valid. Are you sure you had “bind X.X.X.X:443” commented out when you tried it?

Can you provide the logs?


#3

Yes it was commented out.
When I run:
haproxy -f /etc/haproxy/haproxy.cfg -V -d

All I see is :

00000004:linuxrepos.accept(0008)=0009 from [X.X.X.X:54353]
00000004:linuxrepos.clicls[0009:ffffffff]
00000004:linuxrepos.closed[0009:ffffffff]
00000005:linuxrepos.accept(0008)=0009 from [X.X.X.X:54648]
00000005:linuxrepos.clicls[0009:ffffffff]
00000005:linuxrepos.closed[0009:ffffffff]

is there any other way to get more info?

stats show a lot more info:

00000001:stats.accept(0005)=0009 from [127.0.0.1:53538]
00000001:stats.clireq[0009:ffffffff]: GET /haproxy?stats HTTP/1.1
00000001:stats.clihdr[0009:ffffffff]: Host: localhost:1337
00000001:stats.clihdr[0009:ffffffff]: Connection: keep-alive
00000001:stats.clihdr[0009:ffffffff]: Upgrade-Insecure-Requests: 1
00000001:stats.clihdr[0009:ffffffff]: User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36
00000001:stats.clihdr[0009:ffffffff]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
00000001:stats.clihdr[0009:ffffffff]: Accept-Encoding: gzip, deflate, sdch
00000001:stats.clihdr[0009:ffffffff]: Accept-Language: en-US,en;q=0.8,he;q=0.6
00000001:stats.clicls[0009:ffffffff]
00000001:stats.closed[0009:ffffffff]
00000002:stats.accept(0005)=0009 from [127.0.0.1:53540]
00000002:stats.clireq[0009:ffffffff]: GET /haproxy?stats HTTP/1.1
00000002:stats.clihdr[0009:ffffffff]: Host: localhost:1337
00000002:stats.clihdr[0009:ffffffff]: Connection: keep-alive
00000002:stats.clihdr[0009:ffffffff]: Authorization: Basic YWRtaW46YWRtaW4x
00000002:stats.clihdr[0009:ffffffff]: Upgrade-Insecure-Requests: 1
00000002:stats.clihdr[0009:ffffffff]: User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36
00000002:stats.clihdr[0009:ffffffff]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
00000002:stats.clihdr[0009:ffffffff]: Accept-Encoding: gzip, deflate, sdch
00000002:stats.clihdr[0009:ffffffff]: Accept-Language: en-US,en;q=0.8,he;q=0.6
00000002:stats.srvrep[0009:ffffffff]: HTTP/1.1 200 OK
00000002:stats.srvhdr[0009:ffffffff]: Cache-Control: no-cache
00000002:stats.srvhdr[0009:ffffffff]: Connection: close
00000002:stats.srvhdr[0009:ffffffff]: Content-Type: text/html
00000002:stats.srvhdr[0009:ffffffff]: Refresh: 30
00000002:stats.srvhdr[0009:ffffffff]: Transfer-Encoding: chunked
00000003:stats.clireq[0009:ffffffff]: GET /favicon.ico HTTP/1.1
00000003:stats.clihdr[0009:ffffffff]: Host: localhost:1337
00000003:stats.clihdr[0009:ffffffff]: Connection: keep-alive
00000003:stats.clihdr[0009:ffffffff]: Authorization: Basic YWRtaW46YWRtaW4x
00000003:stats.clihdr[0009:ffffffff]: User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36
00000003:stats.clihdr[0009:ffffffff]: Accept: /
00000003:stats.clihdr[0009:ffffffff]: Referer: http://localhost:1337/haproxy?stats
00000003:stats.clihdr[0009:ffffffff]: Accept-Encoding: gzip, deflate, sdch
00000003:stats.clihdr[0009:ffffffff]: Accept-Language: en-US,en;q=0.8,he;q=0.6
00000003:stats.clicls[0009:ffffffff]
00000003:stats.closed[0009:ffffffff]


#4

What happens when you access the backend directly with HTTPS (not HTTP)?

You said it worked with HTTP on the frontend, that is, port 80 (HTTP) in the frontend with the very same backend configuration as you have here, is that correct?


#5

When I access the back-ends directly everything works OK, green lock on the browser.

When the front-end is HTTP (in my case i tested it on port 443 because this is what was open on the corporate FW), The configuration works well just without the first SSL connection to the front-end.

I am on version 1.6.3 which is the one in the Ubuntu repository.


#6

Ok, reconfigure with SSL on port 443 and post the output of:
openssl s_client -connect X.X.X.X:443

Also:

  • provide the output of haproxy -vv
  • provide the real SSL configuration you are using (the config above with an empty “ssl-default-bind-ciphers” directive doesn’t even start, so that is not the actual configuration you are using)

#7

Hi,

You were spot on with the > openssl s_client -connect X.X.X.X:443 command.

The IT provided me with a client certificate and not server… :crazy_face:

I already compiled a the new version when I saw your post.

lukastribus I appreciate your help and I thank you for your time.

Everything works as planned.