1
Web Proxy Filtering and Caching / HaProxy SSL passthrough trouble with SNI_contains rule
« on: May 03, 2020, 12:12:54 pm »
Hi,
I'm fighting for several days now to get haproxy (as a reverse proxy) running on my opnsense firewall with https traffic.
The actual setup is the following:
WAN (with static IP)
---> OPNSense / HA reverse Proxy (on virtual IP)
-----> Webserver for domain1
-----> Webserver for domain2
The basic setup with haproxy is working pretty good with unencrypted http traffic, but for https I can't get the rules working.
The SSL traffic should be passed directly through to the Webservers wich handels the encryption by thereself.
I have configured the backend pools / rules / conditions and frontends divided in ssl and non ssl traffic.
If I set e.g. the condition for server 1 as negotiated (then every incomming request will be forwarded to this backend) I can connect to it over https without a problem, therefore I assumed there must be some setting in my haproxy configuration that prevent the backend choise according to the requested SNI uri.
My config:
I'm grateful for any hint!
Best regards,
Philipp
I'm fighting for several days now to get haproxy (as a reverse proxy) running on my opnsense firewall with https traffic.
The actual setup is the following:
WAN (with static IP)
---> OPNSense / HA reverse Proxy (on virtual IP)
-----> Webserver for domain1
-----> Webserver for domain2
The basic setup with haproxy is working pretty good with unencrypted http traffic, but for https I can't get the rules working.
The SSL traffic should be passed directly through to the Webservers wich handels the encryption by thereself.
I have configured the backend pools / rules / conditions and frontends divided in ssl and non ssl traffic.
If I set e.g. the condition for server 1 as negotiated (then every incomming request will be forwarded to this backend) I can connect to it over https without a problem, therefore I assumed there must be some setting in my haproxy configuration that prevent the backend choise according to the requested SNI uri.
My config:
Code: [Select]
#
# Automatically generated configuration.
# Do not edit this file manually.
global
# NOTE: Could be a security issue, but required for some feature.
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket level admin
nbproc 1
tune.ssl.default-dh-param 1024
spread-checks 0
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
ssl-default-bind-options no-sslv3 no-tlsv10 no-tls-tickets
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
# Frontend: PROXY_DISPATCHER (http domain dispatcher)
frontend PROXY_DISPATCHER
bind 192.168.10.10:80 name 192.168.10.10:80
mode http
option http-keep-alive
# tuning options
timeout client 30s
# logging options
# ACL: remote_xyz
acl acl_5ea7241e265c45.35734629 hdr_sub(host) -i remote.xyz.com
# ACTION: RULE_xyz
use_backend xyz_Server_POOL if acl_5ea7241e265c45.35734629
# ACL: zz_xyz_de
acl acl_5ea724a3355897.03132566 hdr_sub(host) -i zz.xyz.de
# ACTION: RULE_zz_Public
use_backend zz_Public_Webserver_POOL if acl_5ea724a3355897.03132566
# Frontend: PROXY_DISPATCHER_SSL (https domain dispatcher)
frontend PROXY_DISPATCHER_SSL
bind 192.168.10.10:443 name 192.168.10.10:443
mode tcp
# tuning options
timeout client 30s
# logging options
# ACL: zz_xyz_de_SSL
acl acl_5eab1d24347657.98217236 req.ssl_sni -m sub -i zz.xyz.de
# ACTION: RULE_zz_Public_SSL
use_backend zz_Public_Webserver_POOL_SSL if acl_5eab1d24347657.98217236
# ACL: remote_xyz_SSL
acl acl_5eab1d00637479.15142847 req.ssl_sni -m sub -i remote.xyz.com
# ACTION: RULE_xyz_SSL
use_backend xyz_Server_POOL_SSL if acl_5eab1d00637479.15142847
# WARNING: pass through options below this line
tcp-request inspect-delay 10s
# Backend: xyz_Server_POOL ()
backend xyz_Server_POOL
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server xyz_Server 192.168.112.105:80
# Backend: zz_Public_Webserver_POOL ()
backend zz_Public_Webserver_POOL
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server zz_Ubuntu01 192.168.112.111:80
# Backend: xyz_Server_POOL_SSL ()
backend xyz_Server_POOL_SSL
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server xyz_Server_SSL 192.168.112.105:443
# Backend: zz_Public_Webserver_POOL_SSL ()
backend zz_Public_Webserver_POOL_SSL
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server zz_Ubuntu01_SSL 192.168.112.111:443
# statistics are DISABLED
I'm grateful for any hint!
Best regards,
Philipp