OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: tapnl on May 21, 2020, 08:33:28 pm

Title: HAProxy working on port 80 not working on port 443
Post by: tapnl on May 21, 2020, 08:33:28 pm

I have HAProxy working for subdomains using http (port 80), as soon as I bring in a subdomain which is being served by a https/port 443, I can't get it working.

My current setup is as follows:

Multiple VMs running in a network, some of these VMs have containers running with their own proxy and certificates.

Working:
http://test1.example.com --> test_server_1
http://test2.example.com --> test_server_2

These VMs are not using any ssl, etc.

Not working:
https://app1.example.com --> container_server
https://app2.example.com --> container_server

The container_server runs its own proxy (Traefik) and handles the Let's Encrypt certificates.  I want to keep it in this way, because I want to build some sort of BeyondCorp / ZeroTrust setup in the backend later on and I want my Firewall to be not to much involved (certificate handling, etc). HAProxy needs to be as transparent as possible.

The error I am getting is that there is some kind of SSL error.

Using a Mac:

Chrome:
This site can’t provide a secure connection

app1.example.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

Firefox:
An error occurred during a connection to app1.example.com. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

ADDITION:
I have no port 443 rules, port forwards running (all disabled)

Any help is appreciated.

Title: Re: HAProxy working on port 80 not working on port 443
Post by: cmdr.adama on May 22, 2020, 12:29:58 pm

Could you please post your config?

Have you got the frontend set to SSL / HTTPS TCP mode?

Title: Re: HAProxy working on port 80 not working on port 443
Post by: tapnl on May 22, 2020, 05:13:57 pm

I have two frontends (one for HTTP/80 and HTTPS/443). In the HTTPS/443 the option SSL / HTTPS TCP mode is enabled.
See below parts of my config let me know if you miss anything.

Servers:
Enabled: checked
Name: app1
Description: app1
FQDN or IP: 192.168.1.xx
Port:443
Mode: active (default)
SSL: checked
Verify SSL Certificate: unchecked      
SSL Verify CA: nothing selected

Publicservices:
Enabled: checked
Name: frontend443
Description: frontend443
Listen Addresses: 0.0.0.0:443   
Type: SSL/HTTPS TCP mode
Default Backend Pool: none
Enable SSL offloading: unchecked
Max. Connections: empty
Detailed Logging: unchecked
Table type: none
Stored data types: nothing selected   
Select rules: SSLTESTRULE   
Select Error Messages: Nothing selected

Backendpool
Enabled: checked
Name: app1
Description: app1
Mode: HTTP (Layer 7) [default]
Balancing Algorithm: Source-IP Hash [default]
Servers: app1
Enable Health Checking: checked
Health Monitor: none
Log Status Changes: unchecked
Enable HTTP/2: unchecked   
HTTP/2 without TLS: unchecked
Advertise Protocols (ALPN): HTTP/2 HTTP/1
Persistence type: stick table persistence [default]
Table type: Source-IP [default]
Stored data types: nothing selected   
Cookie name: empty
Cookie length: empty
Enable: unchecked   
Allowed Users: nothing selected
Allowed Groups: nothing selected
Retries: empty
Select Rules: empty
Select Error Messages: nothing selected

Conditions:
Name: app1
Description: app1
Condition type: host contains
Negate condition: unchecked
Host contains: app1.example.com

Rules:
Name: app1.example.com
Description: app1.example.com
Test type: IF [default]
Select conditions: app1    
Logical operator for conditions: AND [default]
Execute function: use specified backend pool
Use backend pool: app1backend

I have played around with some options but had no luck. For example changing mode at backendpool to TCP.

Title: Re: HAProxy working on port 80 not working on port 443
Post by: cmdr.adama on May 22, 2020, 05:30:15 pm

Change both the front end and backend to just TCP mode.

Also you'll definitely want to set up ACLs for SSL SNI if you plan on having multiple servers.

As per this guide https://www.haproxy.com/documentation/haproxy/deployment-guides/tls-infrastructure/#ssl-tls-pass-through

Title: Re: HAProxy working on port 80 not working on port 443
Post by: tapnl on May 22, 2020, 11:32:43 pm

Thx. I set both the frontend and the backend to TCP - but the error stays the samen and it is not working.

The link you provided is exactly what I want to achieve. But I have the feeling that it has a twist in setting up compared to the standard howto in the opnsense docs.

The puzzle continues.

Title: Re: HAProxy working on port 80 not working on port 443
Post by: cmdr.adama on May 23, 2020, 05:51:01 am

What webserver are you using? Is it showing any errors when you attempt to access the websites? That or Traefik

Title: Re: HAProxy working on port 80 not working on port 443
Post by: huuich on August 16, 2020, 04:51:49 am

I'm using webinoly to make VPS Server (https://webinoly.com/en/) and webinoly can configure SSL for website on this hosting. I search on forum has German topic done with SSL Passthough by HAProxy Plugin (https://forum.opnsense.org/index.php?topic=11789.msg53525#msg53525) but I still don't know how to do this. Could you check and explain step by step SSL Passthough with HAProxy Plugin? Thanks!