TLS Termination

multiplier_x · July 18, 2018, 2:54pm

We collect log files on one site and then send them over the internet via TCP + TLS to our servers in the cloud. The log files need to be sent evenly between the two servers, so we have put HAProxy infront of them.

Currently the only config I have added to get the connection from the local server to the servers in the cloud via HAPRoxy is:

listen graylog 
    bind *:20000
    mode tcp
    option tcplog
    balance roundrobin
    server graylog1 10.32.4.4:20001 check
    server graylog2 10.32.4.5:20001 check

I believe I need to terminate TLS at the HAProxy server, how would I go about doing this?

Cheers,

G

multiplier_x · July 23, 2018, 2:42pm

I’ve still got nowhere, can anyone help?

lukastribus · July 30, 2018, 9:57am

What do you need to encrypt: client to haproxy, haproxy to backend servers, or both? Do you have a certificate ready to be installed on haproxy?

multiplier_x · July 30, 2018, 10:13am

So the logs come to HAproxy encrypted, we want to decrypt them at that point and send them in plaintext from the backend. I am about to set up a certificate for it now.

lukastribus · July 30, 2018, 10:36am

Ok, the add ssl crt /path/to/certificate to the bind line.

You can find a more complete and secure example here:
https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.7.9&openssl=1.0.1e&hsts=yes&profile=intermediate

multiplier_x · July 30, 2018, 10:42am

I have added that option and it doesn’t seem to have worked.

frontend gl-frontend
    mode tcp
    default_backend gl-cluster
    bind *:20000 ssl crt /etc/certs/ha-selfsigned.pem

backend gl-cluster
        mode tcp
        balance roundrobin
        server GL1 10.19.0.4:20001
        server GL2 10.19.0.5:20001

lukastribus · July 30, 2018, 10:58am

Doesn’t work how? Can you elaborate a little bit?

multiplier_x · July 30, 2018, 11:14am

Okay so the ssl termination is now working, but it only sends to one host. The connection is never broken.

Edited:

We send the data on from the proxy to two nodes and we are only seeing one connection being made to one node and the connection is never broken and therefore data is never send to the other node.

multiplier_x · July 30, 2018, 1:32pm

So the connection when sending the logs from one site to another is just one long TCP connection that sends all the logs. Obviously haproxy is set up to balance the TCP connections and when there’s only one, it will just go to one node. Is there anyway to resolve this?

lukastribus · July 30, 2018, 2:30pm

To load-balance you need multiple sessions. If there is only one session, only one server will see the load.

This is especially true in TCP mode, as haproxy does not understand and interact at application layer, but on layer 4 (TCP) only.

Topic		Replies	Views
SSL termination does not work correctly (v2.0.8) Help!	3	1689	November 13, 2019
Mutual TLS with SSL Termination Help!	3	2937	March 28, 2019
SSL termination on whole domain Help!	0	433	May 29, 2020
TLS Termination Proxy with both TLS and plain TCP on the same port Help!	15	11567	August 27, 2018
HAproxy TLS passthough Help!	3	522	March 22, 2022

TLS Termination

Related topics