HAProxy community

SSL Pass-through yields SSL errors

Hi there.
I’m almost at the end of my tether here. I have no idea why this doesn’t work.
All I am trying to do is SSL passthrough which should be simple enough (or so I thought) but 99% of the time I am getting some unknown SSL error

root@kuroko:~# curl -k https://corihaws.co.uk
curl: (35) Unknown SSL protocol error in connection to corihaws.co.uk:443

I note this error does not occur if I set the default backend - so the issue must be with the rule but I’m clearly not understanding it.

Here is my config

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

defaults
        log     global
        mode    http
        #option httplog
        option  dontlognull
        timeout connect 50000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

# Frontend: fe-http ()
frontend fe-http
    bind *:80
    stats uri /haproxy?stats
    mode http
    option http-keep-alive
    # tuning options
    # logging options
    # ACL: corihaws
    acl acl_corihaws hdr_end(host) -i corihaws.co.uk
    # ACTION: misaka00002-http
    use_backend be-misaka00002-http if acl_corihaws

# Frontend: fe-https ()
frontend fe-https
    bind *:443
    mode tcp
    # tuning options
    # logging options
    option tcplog
    # ACL: corihaws-ssl
    acl acl_corihaws-ssl req.ssl_sni -m end -i corihaws.co.uk
    # ACTION: misaka00002-https
    use_backend be-misaka00002-https if acl_corihaws-ssl
   # default_backend be-misaka00002-https

# Backend: be-misaka00002-http ()
backend be-misaka00002-http
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    http-reuse never
    server misaka00002-http 10.0.1.102:80

# Backend: be-misaka00002-https ()
backend be-misaka00002-https
    mode tcp
    balance source
    # stickiness
    #stick-table type ip size 50k expire 30m
    #stick on src
    # tuning options
    server misaka00002-https 10.0.1.102:443

Any help would be much appreciated.
Kind Regards
Cori

As per the documentation:

https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#7.3.5-req.ssl_sni

You need to wait for the complete client_hello, before matching the SNI value:

# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
# ACL: corihaws-ssl
acl acl_corihaws-ssl req.ssl_sni -m end -i corihaws.co.uk
# ACTION: misaka00002-https
use_backend be-misaka00002-https if acl_corihaws-ssl

Hi, Thanks for the response.
This seems to have been the problem.
I will admit, I was having this issue using the OPNSense haproxy plugin, so I setup a separate server running haproxy and copied over the essential config options to diagnose the issue. Evidently, for whatever reason OPNsense is not auto-generating the required client_hello config options…

Many Thanks
Cori

1 Like