TLS Passthrough with new port listening and RPC filtering

prtlin · November 29, 2018, 8:52pm

Hello community!

Running into a problem with configuration for one web app hosted on one of our public IPs. This app receives Http POST information over a port to receive information (8081), and issue commands over the established tls tunnels. (osquery reporting + TLS )

Our design logic is that we set up HA proxy to separate the reporting port vs http login port for admins(8080). Basically hide the admin port from public, and only allow traffic from public with the correct HTTP header to go to the report port, which redirects the traffic to the admin port.

So I am trying to set up this on a server to test with HAProxy. This is the code I have so far for configurations:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    tcp
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

listen fleet-canary
        bind 0.0.0.0:8081
        mode http
        timeout connect 4000
        timeout client 180000
        timeout server 180000
        server srv1 <IP>:8080

frontend localhost
        bind *:8081
        option tcplog
        mode tcp
        default_backend nodes

backend nodes
        mode tcp
        balance roundrobin
        option ssl-hello-chk
        server web01 <IP>:8080 check

Any help is appreciated. Thanks a bunch

lukastribus · December 1, 2018, 7:43pm

The configuration is wrong, you cannot listen to port 8081 twice, otherwise the kernel will load-balance between to different services and that is almost certainly not what you want.

From your description I do not have a good idea what you are trying to achieve. Please reexplain what your are trying to achieve and how - specifically, if you want haproxy to listen to a single port and then route to 2 different application backends, clarify how you want haproxy to distinguish between one application and the other.

prtlin · December 7, 2018, 3:58pm

Hello, I just changed our config.

Sorry for the confusion if there’s any.

I am trying to achieve:

on the proxy , redirect all incoming traffic from port 8082 to port 8080 locally
for all incoming traffic to port 8082, I only want to allow traffic with valid TLS cert to come in
if 2) is not possible, I would like to limit some kind of signatures to do access control
port 8080 already has a cert.pem running for direct 8080 port access.
the end product would be: I will stop on the firewall level for 8080 access to only trusted zone, and open port 8082 so all internet traffic can access that port. But HAProxy will only route the traffic with valid tls cert.

Below is the config.

global
	log /dev/log	local0 debug
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	#stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private
	ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128
-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
	ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
	ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES1
28-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
	ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
defaults

	log	global
	mode	http
	option  httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend https
	bind *:8082 ssl crt /root/newca/keys/hap-server.pem ca-file /root/newca/keys/ca.crt verify required
	default_backend nodes

backend nodes
	server web01 127.0.0.1:8080

Thank you

lukastribus · December 7, 2018, 6:38pm

Traffic on port 8082 will be TLS and traffic on port 8080 will be cleartext, is that would you are saying?

Then your configuration should already achieve that.

prtlin · December 7, 2018, 8:29pm

so port 8082 does the redirection for port 8080. On port 8080 we only have cert for the server.

But it doesn’t work when we did the config, keep saying the TLS handshake failed on our endpoint log.

Any idea on where to troubleshoot? Thanks again

lukastribus · December 7, 2018, 9:29pm

Still unclear what you are trying to do. Also nothing redirect’s here. This is forwarding, not redirecting.

You want to do TLS termination on port 8082. But then you want to do TLS termination on 8080 once again? Exactly what should be encrypted and should not be encrypted?

prtlin · December 11, 2018, 1:30am

Hi Lukas.

So basically we are trying to use HAproxy to only allow traffic on port 8082 with valid client cert to talk to the app server. On the app server firewall side, we only allow traffic that is coming from the HAproxy.

So yes, you are right. The first authentication happens on the haproxy side(hosted on port 8082). With the valid client certs on the endpoints, our goal is to direct the traffic to the app server(hosted on port 8080). So yes, technically we are authenticating twice of the incoming traffic. We hope only authenticated package, aka. host with the valid client cert would be able to talk to the proxy port 8082, and then only proxy can talk to the app server (port 8080).

THanks

lukastribus · December 12, 2018, 8:15pm

So SSL on port 8082, terminating SSL and forwarding the cleartext traffic to 8080?

That’s what your configuration does.