Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
HAProxy working on port 80 not working on port 443
« previous
next »
Print
Pages: [
1
]
Author
Topic: HAProxy working on port 80 not working on port 443 (Read 6989 times)
tapnl
Newbie
Posts: 10
Karma: 0
HAProxy working on port 80 not working on port 443
«
on:
May 21, 2020, 08:33:28 pm »
I have HAProxy working for subdomains using http (port 80), as soon as I bring in a subdomain which is being served by a https/port 443, I can't get it working.
My current setup is as follows:
Multiple VMs running in a network, some of these VMs have containers running with their own proxy and certificates.
Working:
http://test1.example.com
--> test_server_1
http://test2.example.com
--> test_server_2
These VMs are not using any ssl, etc.
Not working:
https://app1.example.com
--> container_server
https://app2.example.com
--> container_server
The container_server runs its own proxy (Traefik) and handles the Let's Encrypt certificates. I want to keep it in this way, because I want to build some sort of BeyondCorp / ZeroTrust setup in the backend later on and I want my Firewall to be not to much involved (certificate handling, etc). HAProxy needs to be as transparent as possible.
The error I am getting is that there is some kind of SSL error.
Using a Mac:
Chrome:
This site can’t provide a secure connection
app1.example.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
Firefox:
An error occurred during a connection to app1.example.com. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
ADDITION:
I have no port 443 rules, port forwards running (all disabled)
Any help is appreciated.
«
Last Edit: May 21, 2020, 08:41:40 pm by tapnl
»
Logged
cmdr.adama
Jr. Member
Posts: 61
Karma: 3
Re: HAProxy working on port 80 not working on port 443
«
Reply #1 on:
May 22, 2020, 12:29:58 pm »
Could you please post your config?
Have you got the frontend set to SSL / HTTPS TCP mode?
Logged
tapnl
Newbie
Posts: 10
Karma: 0
Re: HAProxy working on port 80 not working on port 443
«
Reply #2 on:
May 22, 2020, 05:13:57 pm »
I have two frontends (one for HTTP/80 and HTTPS/443). In the HTTPS/443 the option SSL / HTTPS TCP mode is enabled.
See below parts of my config let me know if you miss anything.
Servers:
Enabled: checked
Name: app1
Description: app1
FQDN or IP: 192.168.1.xx
Port:443
Mode: active (default)
SSL: checked
Verify SSL Certificate: unchecked
SSL Verify CA: nothing selected
Publicservices:
Enabled: checked
Name: frontend443
Description: frontend443
Listen Addresses: 0.0.0.0:443
Type: SSL/HTTPS TCP mode
Default Backend Pool: none
Enable SSL offloading: unchecked
Max. Connections: empty
Detailed Logging: unchecked
Table type: none
Stored data types: nothing selected
Select rules: SSLTESTRULE
Select Error Messages: Nothing selected
Backendpool
Enabled: checked
Name: app1
Description: app1
Mode: HTTP (Layer 7) [default]
Balancing Algorithm: Source-IP Hash [default]
Servers: app1
Enable Health Checking: checked
Health Monitor: none
Log Status Changes: unchecked
Enable HTTP/2: unchecked
HTTP/2 without TLS: unchecked
Advertise Protocols (ALPN): HTTP/2 HTTP/1
Persistence type: stick table persistence [default]
Table type: Source-IP [default]
Stored data types: nothing selected
Cookie name: empty
Cookie length: empty
Enable: unchecked
Allowed Users: nothing selected
Allowed Groups: nothing selected
Retries: empty
Select Rules: empty
Select Error Messages: nothing selected
Conditions:
Name: app1
Description: app1
Condition type: host contains
Negate condition: unchecked
Host contains: app1.example.com
Rules:
Name: app1.example.com
Description: app1.example.com
Test type: IF [default]
Select conditions: app1
Logical operator for conditions: AND [default]
Execute function: use specified backend pool
Use backend pool: app1backend
I have played around with some options but had no luck. For example changing mode at backendpool to TCP.
«
Last Edit: May 22, 2020, 05:24:52 pm by tapnl
»
Logged
cmdr.adama
Jr. Member
Posts: 61
Karma: 3
Re: HAProxy working on port 80 not working on port 443
«
Reply #3 on:
May 22, 2020, 05:30:15 pm »
Change both the front end and backend to just TCP mode.
Also you'll definitely want to set up ACLs for SSL SNI if you plan on having multiple servers.
As per this guide
https://www.haproxy.com/documentation/haproxy/deployment-guides/tls-infrastructure/#ssl-tls-pass-through
«
Last Edit: May 22, 2020, 05:33:25 pm by cmdr.adama
»
Logged
tapnl
Newbie
Posts: 10
Karma: 0
Re: HAProxy working on port 80 not working on port 443
«
Reply #4 on:
May 22, 2020, 11:32:43 pm »
Thx. I set both the frontend and the backend to TCP - but the error stays the samen and it is not working.
The link you provided is exactly what I want to achieve. But I have the feeling that it has a twist in setting up compared to the standard howto in the opnsense docs.
The puzzle continues.
Logged
cmdr.adama
Jr. Member
Posts: 61
Karma: 3
Re: HAProxy working on port 80 not working on port 443
«
Reply #5 on:
May 23, 2020, 05:51:01 am »
What webserver are you using? Is it showing any errors when you attempt to access the websites? That or Traefik
Logged
huuich
Newbie
Posts: 24
Karma: 0
https://dichvuhuuich.com
Re: HAProxy working on port 80 not working on port 443
«
Reply #6 on:
August 16, 2020, 04:51:49 am »
I'm using webinoly to make VPS Server (
https://webinoly.com/en/
) and webinoly can configure SSL for website on this hosting. I search on forum has German topic done with SSL Passthough by HAProxy Plugin (
https://forum.opnsense.org/index.php?topic=11789.msg53525#msg53525
) but I still don't know how to do this. Could you check and explain step by step SSL Passthough with HAProxy Plugin? Thanks!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
HAProxy working on port 80 not working on port 443