Messages

Just found this: https://github.com/opnsense/plugins/issues/1430#issuecomment-692265194

I guess we all have to go without OCSP or use the script from above, until HAProxy supports this.


browne

I am running HAProxy as a reverse proxy in HTTP / HTTPS (SSL offloading) mode using Let's Encrypt ACME on OPNsense.
Everything is working fine and I am right now fine tuning my setup.

The only thing left to do is to get OCSP stapling to work!
My certificate already contains the OCSP Must Staple extension.


SSL Labs

Code Select Expand

This server certificate supports OCSP must staple but OCSP response is not stapled.

Firefox brings this, once I use a certificate with the OCSP must staple extension.

Code Select Expand

MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

How do I proceed from here on?
I had a look at all the HAProxy settings but couldn't really figure out how to set up OCSP stapling.


Regards
browne

We tracked it down to some NTLM issues on the RDP Gateway...
https://support.microsoft.com/en-us/help/2903333/terminal-services-client-connection-error-0xc000035b-when-you-use-lmco

Anyway it is working perfectly fine now!

You need a condition with path contains string "remoteDesktopGateway" and a rule to match this condition and execute function "http-request deny".

Then it will work ...

This was the solution for my problem. Thank you!
https://forum.opnsense.org/index.php?topic=19169

Thank you very much!
I already saw your post in that other thread, but couldn't believe it had to do with my problem.

Could you please explain to me: Why do I have to use this rule and what exactly it does?

browne

Hello,

I already set up HAProxy as a reverse proxy on port 443 with ACME for some web servers, Exchange, ....

Right now I am struggeling with adding our remote desktop gateway server.
https://www.haproxy.com/documentation/haproxy/deployment-guides/remote-desktop/rdp-gateway/
I want to use the "SSL bridging mode" in order to get rid off the certificate errrors.

If I understand everything there correctly I will need a seperate frontend for the RDP gateway because of some special settings and of course on another port than 443. Sadly I failed with just copying the given config as I didn't figure out where to set all the options.

Is there someone who has already set up haproxy with a remote desktop gateway server and would be so kind to share his config?

(Sorry for double posting this here and in the "Web Proxy Filtering and Caching" sub forum. But I thought more people would read it here.)

Best regards
browne

Hello,

I already set up HAProxy as a reverse proxy on port 443 with ACME for some web servers, Exchange, ....

Right now I am struggeling with adding our remote desktop gateway server.
https://www.haproxy.com/documentation/haproxy/deployment-guides/remote-desktop/rdp-gateway/
I want to use the "SSL bridging mode" in order to get rid off the certificate errrors.

If I understand everything there correctly I will need a seperate frontend for the RDP gateway because of some special settings and of course on another port than 443. Sadly I failed with just copying the given config as I didn't figure out where to set all the options.

Is there someone who has already set up haproxy with a remote desktop gateway server and would be so kind to share his config?

Best regards
browne

EDIT:
Solved: https://forum.opnsense.org/index.php?topic=19169.0

That was the solution! thanks

Okay, danke für die Info!

In welchem Szenario würde ich denn dann ein zweites Frontend anlegen?
Bzw. Warum funktioniert es nicht mit zwei einzelnen Frontends?
Ich frage nur, um das ganze besser zu verstehen.

EDIT: Auf dem beigefügten Bild ist meine alte Frontend Konfiguration. Die Konfig für den Exchange Server sieht genau so aus, eben nur mit der anderen rule. Als standard Backend-Pool war auch noch der zum Frontend gehörige Backend eingetragen.

Jetzt habe ich ein Frontend mit den beiden rules für ESWEB und MEX1.

Danke!!! Das war es, ich habe jetzt nur noch ein Frontend für alle Backends mit den dazugehörigen Rules.
Ich war der Annahme, dass man für jedes Backend ein dazugehöriges Frontend benötigt.

Also ist es so, dass man für jede Subdomain (z.B. sub1.firma.de) die dahinterliegenden Server (SQLHOST, ESWEB, ...) ein gemeinsames Frontend und so viele unterschiedliche Backends wie Server benötigt?

Ist die haproxy.conf noch nicht die vollständige Konfiguration?
Welche Daten fehlen denn noch?

Grüße
browne

Hallo,

ich verlinke hiermit mal meinen englischen Post, da ich gesehen habe, dass im deutschen Forum deutlich mehr Aktivität zu verzeichnen ist.
https://forum.opnsense.org/index.php?topic=17801

Wie bereits dort erwähnt, habe ich bisher ACME und einen Server MEX1 erfolgreich konfiguriert.
Meinen zweiten Server SQLHOST habe ich genau wie den ersten konfiguriert, lediglich die condition unterscheidet sich.
Trotzdem komme ich nicht auf den zweiten Server, da haproxy scheinbar auf die Konfiguration des ersten Servers zurückgreift, was für mich keinerlei Sinn ergibt.

Beweisen lässt sich meine Vermutung, in dem ich unter dem reiter "Reale Server" meinen MEX1 deaktiviere, dann bekomme ich beim Aufruf der URL des SQLHOST statt einem 404 Fehler plötzlich einen 503 Fehler.
Aktiviere ich den Eintrag für MEX1 wieder und ändere NUR die URL-condition des SQLHOST von "esweb" auf "owa" ab, werde ich sofort zum Exchange Server weitergeleitet, obwohl im Server Eintrag die IP des SQLHOST Servers hinterlegt ist.


Log beim Aufruf der URL

Code Select Expand

haproxy[3465]: 192.168.223.215:57161 [23/Jun/2020:13:41:54.003] MEX1_frontend~ MEX1_backend/MEX1 1/0/0/2/3 404 118 - - ---- 1/1/0/0/0 0/0 "GET /esweb/ HTTP/1.1"

haproxy.conf

Code Select Expand


#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    # NOTE: Could be a security issue, but required for some feature.
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    1
    tune.ssl.default-dh-param   1024
    spread-checks               0
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Frontend: redirect_acme_challenge ()
frontend redirect_acme_challenge
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode http
    option http-keep-alive
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Forward_80_to_443
    acl acl_5ede30aae5ac13.40527538 req.ssl_ver gt 0
    # ACL: no_acme_challenge
    acl acl_5ede30ead9bc68.54961199 path_beg -i /.well-known/acme-challenge/

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if !acl_5ede30aae5ac13.40527538 !acl_5ede30ead9bc68.54961199

# Frontend: MEX1_frontend (my.domain.net/owa)
frontend MEX1_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 0.0.0.0:80 name 0.0.0.0:80 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5edfa47f551f80.62983715.certlist
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5edfa47f551f80.62983715.certlist
    mode http
    option http-keep-alive
    default_backend MEX1_backend
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: MEX1_condition
    acl acl_5ede305aa428f7.91112437 path_beg -i /owa

    # ACTION: MEX1_rule
    use_backend MEX1_backend if acl_5ede305aa428f7.91112437

# Frontend: LetsEncrypt_Frontend ()
frontend LetsEncrypt_Frontend
    bind 192.168.223.181:80 name 192.168.223.181:80
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Forward_80_to_443
    acl acl_5ede30aae5ac13.40527538 req.ssl_ver gt 0
    # ACL: no_acme_challenge
    acl acl_5ede30ead9bc68.54961199 path_beg -i /.well-known/acme-challenge/
    # ERROR: unsupported action type
    # ACTION INVALID:

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if !acl_5ede30aae5ac13.40527538 !acl_5ede30ead9bc68.54961199

# Frontend: ESWEB_frontend (my.domain.net/esweb)
frontend ESWEB_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 0.0.0.0:80 name 0.0.0.0:80 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5ee21963e60ff8.23840091.certlist
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5ee21963e60ff8.23840091.certlist
    mode http
    option http-keep-alive
    default_backend ESWEB_backend
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: ESWEB_condition
    acl acl_5ee219894dbd78.15910750 path_beg -i /esweb

    # ACTION: ESWEB_rule
    use_backend ESWEB_backend if acl_5ee219894dbd78.15910750

# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: MEX1_backend ()
backend MEX1_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server MEX1 192.168.200.12:443 ssl verify none

# Backend: ESWEB_backend ()
backend ESWEB_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server SQLHOST 192.168.200.21:443 ssl verify none


Hello,

I am currently setting up haproxy in my network.
I got the acme automation working and was also able to configure the first server.

I then cloned each setting of the first server (MEX1) and adapted them to match the 2nd server (SQLHOST - esweb).

Somehow I am unable to access the 2nd server via haproxy, it just gives me a 404 error. The first still works fine.
What makes me curious are the log entries, it seems that the config for my SQLHOST is pointing to the backend / frontend of my MEX1 server, which makes no sense at all.

Code Select Expand

haproxy[3465]: 192.168.223.215:57161 [23/Jun/2020:13:41:54.003] MEX1_frontend~ MEX1_backend/MEX1 1/0/0/2/3 404 118 - - ---- 1/1/0/0/0 0/0 "GET /esweb/ HTTP/1.1"

If I disable the server entry of MEX1 I get a 503 error when trying to access it, which makes sense, but in the same time the 2nd server now also gives a 503 error.

Below is my haproxy config.

Code Select Expand


#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    # NOTE: Could be a security issue, but required for some feature.
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    1
    tune.ssl.default-dh-param   1024
    spread-checks               0
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Frontend: redirect_acme_challenge ()
frontend redirect_acme_challenge
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode http
    option http-keep-alive
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Forward_80_to_443
    acl acl_5ede30aae5ac13.40527538 req.ssl_ver gt 0
    # ACL: no_acme_challenge
    acl acl_5ede30ead9bc68.54961199 path_beg -i /.well-known/acme-challenge/

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if !acl_5ede30aae5ac13.40527538 !acl_5ede30ead9bc68.54961199

# Frontend: MEX1_frontend (my.domain.net/owa)
frontend MEX1_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 0.0.0.0:80 name 0.0.0.0:80 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5edfa47f551f80.62983715.certlist
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5edfa47f551f80.62983715.certlist
    mode http
    option http-keep-alive
    default_backend MEX1_backend
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: MEX1_condition
    acl acl_5ede305aa428f7.91112437 path_beg -i /owa

    # ACTION: MEX1_rule
    use_backend MEX1_backend if acl_5ede305aa428f7.91112437

# Frontend: LetsEncrypt_Frontend ()
frontend LetsEncrypt_Frontend
    bind 192.168.223.181:80 name 192.168.223.181:80
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Forward_80_to_443
    acl acl_5ede30aae5ac13.40527538 req.ssl_ver gt 0
    # ACL: no_acme_challenge
    acl acl_5ede30ead9bc68.54961199 path_beg -i /.well-known/acme-challenge/
    # ERROR: unsupported action type
    # ACTION INVALID:

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if !acl_5ede30aae5ac13.40527538 !acl_5ede30ead9bc68.54961199

# Frontend: ESWEB_frontend (my.domain.net/esweb)
frontend ESWEB_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 0.0.0.0:80 name 0.0.0.0:80 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5ee21963e60ff8.23840091.certlist
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5ee21963e60ff8.23840091.certlist
    mode http
    option http-keep-alive
    default_backend ESWEB_backend
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: ESWEB_condition
    acl acl_5ee219894dbd78.15910750 path_beg -i /esweb

    # ACTION: ESWEB_rule
    use_backend ESWEB_backend if acl_5ee219894dbd78.15910750

# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: MEX1_backend ()
backend MEX1_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server MEX1 192.168.200.12:443 ssl verify none

# Backend: ESWEB_backend ()
backend ESWEB_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server SQLHOST 192.168.200.21:443 ssl verify none


I hope you guys can help me out here.
browne