SSL Protocol Errors when not offloading

Help!
1

Hello, I’m trying to eventually set up something similar to this, where a single frontend should only ask for client certs conditionally. However, I got a bunch of errors and it seems I’m getting errors with even more basic setups.

Here’s a minimal setup that produces the error for me:

OPNSense HAProxy plugin running on a home box

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats

# More frontends omitted for brevity

# Frontend: test_in ()
frontend test_in
    bind 0.0.0.0:443 name 0.0.0.0:443 
    mode tcp
    default_backend homeassistant
    # tuning options
    timeout client 30s

    # logging options
    option log-separate-errors
    option tcplog

# More backends omitted for brevity

# Backend: homeassistant ()
backend homeassistant
    option log-health-checks
    # health check: check homeassistant
    option httpchk
    http-check send meth GET uri / ver HTTP/1.0
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server homeassistant 192.168.1.123:8123 check inter 2s check-ssl  verify none

Chrome gives me ERR_SSL_PROTOCOL_ERROR and Postman gives me Error: write EPROTO 82462216:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../../third_party/boringssl/src/ssl/tls_record.cc:242: when visiting my site.

I have also tried combinations of https offloading on the frontend, and marking the backend as SSL. Only the combination of both allows me to access the homeassistant instance properly.

https offloading but no ssl on backend gives me a 502. ssl on backend but ssl passthrough on frontend (as shown above) gives me the same SSL proto error.

Here’s the relevant portions with the aforementioned options both enabled:

frontend test_in
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl  crt-list /tmp/haproxy/ssl/62a6bbcf47f3b0.59102928.certlist 
    # rest same

backend homeassistant
    # rest same
    server homeassistant 192.168.1.123:8123 check inter 2s check-ssl  ssl alpn h2,http/1.1 verify none verify none

I can get it working with offloading, but I’m assuming getting the SSL passthrough working is necessary for the loopback unix node setup since you mentioned that the “first three sections need to be tcp mode” when referring to the main frontend and loopback backends in the linked thread.

2

you can’t have a backend in HTTP mode after a frontend in TCP mode where you don’t decipher the traffic.
It’s not clear to me what you want to achieve here. Either enable ‘ssl’ and set a cert on the bind line or switch to tcp mode in the backend

3

Neither of the things you suggested works.

My intention is to use the unix node loopback setup that @lukastribus suggested, but some services that I need to send traffic to are http only. The original post suggested that tcp mode was required on the first frontend and subsequent backends.

4

Kenblu24, it seems you are missing a link to what you are trying to do. You refer to wanting to do something like in linked article, but there is no link.

As Baptiste says, it won’t work to have tcp mode on front end and http on back end.

If you solved this already let us know please. If you still need help, we need to know what you are trying to do

5

Sorry, it seems the forum doesn’t highlight links particularly well. Here’s the link again: How to set ssl verify client for specific domain name - #3 by lukastribus

My actual objective is to have the browser ask for certs only for certain URLs that I set it for. In the linked post, lukas suggests that the frontend that handles incoming traffic and the backends after that need to be in TCP mode. Does this mean, since several of my real servers are http only, that I can’t do that?

6

Im sure you can do what it is you want in haproxy, I’m just not sure you are going about it the right way.

The solution from lukastribite in the link you share works but you should know it is an incomplete config. His example does not show any backends at all. The two 127.0.0.1 backends that he shows are simply each one pointing to a new front end. This is how he manages to have two front ends with two different requirements both listening on the same port (443). He sorts them in a single tcp mode front end by domain requested using req_ssl_sni then sends them to two tcp mode backends who’s only function is to send the straight to 2 new front ends each with different parameters. He then will have to create new backends to send this pre-sorted traffic to.

That being explained, I’m not sure it’s what you really want to do. You say you want the browser to ask for certs only for certain urls, and several of your servers are http only. I’m still not exactly clear on your situation. If your browser knows which urls are http only then it should send an http request and only send https to sites that are https. If on the other hand you want all tragic to your site to be ssl encrypted and then have haproxy send some of its traffic to https enabled servers and the rest to http servers you can do that by simply sending some to https backends and the rest to http backends. But the simplest way to do it is to just do all the ssl termination at the haproxy front end then send out all your redirected traffic to http servers. For this your haproxy needs a certificate covering all the domains it will be forwarding to. If for some target servers can’t receive plain http requests, then you have to split into two front ends as per lucastrubute. With this you can do it 2ways. First you can make one of your front ends tcp mode and use it to ssl forward the request to a tcp mode backend pointing to https servers. The other way is to use ssl bridging but you probably don’t want to do that.