HAProxy with SNI and different SSL SettingsSingle domain SSL presented for all domains on Shared IPHAProxy - ssl client ca chain cannot be verifiedHA-Proxy 301 re-direct: https to https://wwwAWS ELB with SSL backend adds proxy protocol inside SSL streamCapture and forward extended PKI cert attributes (e.g. UPN) using haproxySASL auth to LDAP behind HAPROXY with name mismatchesNo need to enable SNI for multiple SSL sites on same IP but using same wild card certificate?openldap with haproxy - (ldap_result() failed: Can't contact LDAP server)HAProxy does not perform SNI lookupPass-through SSL with HAProxy and vhosts on same IP
What is the status of the Lannisters after Season 8 Episode 5, "The Bells"?
Does the Rogue's Reliable Talent feature work for thieves' tools, since the rogue is proficient in them?
How to continually let my readers know what time it is in my story, in an organic way?
Windows 10 lock screen - display my own random images
Why commonly or frequently used fonts sizes are even numbers like 10px, 12px, 16px, 24px, or 32px?
Should I communicate in my applications that I'm unemployed out of choice rather than because nobody will have me?
How to rename multiple files in a directory at the same time
What dog breeds survive the apocalypse for generations?
I recently started my machine learning PhD and I have absolutely no idea what I'm doing
Single word that parallels "Recent" when discussing the near future
How does a permutation act on a string?
Will there be more tax deductions if I put the house completely under my name, versus doing a joint ownership?
How to not get blinded by an attack at dawn
Testing if os.path.exists with ArcPy?
Why is Drogon so much better in battle than Rhaegal and Viserion?
Using chord iii in a chord progression (major key)
Does it matter what way the tires go if no directional arrow?
Why did Varys remove his rings?
Holding rent money for my friend which amounts to over $10k?
Is there any good reason to write "it is easy to see"?
tikz drawing rectangle discretized with triangle lattices and its centroids
Why did the metro bus stop at each railway crossing, despite no warning indicating a train was coming?
With today's technology, could iron be smelted at La Rinconada?
Does addError() work outside of triggers?
HAProxy with SNI and different SSL Settings
Single domain SSL presented for all domains on Shared IPHAProxy - ssl client ca chain cannot be verifiedHA-Proxy 301 re-direct: https to https://wwwAWS ELB with SSL backend adds proxy protocol inside SSL streamCapture and forward extended PKI cert attributes (e.g. UPN) using haproxySASL auth to LDAP behind HAPROXY with name mismatchesNo need to enable SNI for multiple SSL sites on same IP but using same wild card certificate?openldap with haproxy - (ldap_result() failed: Can't contact LDAP server)HAProxy does not perform SNI lookupPass-through SSL with HAProxy and vhosts on same IP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have HAProxy for my two sites, one of them public and one private.
www.mysite.com
private.mysite.com
Atm, I'm using haproxy like this:
frontend mysite_https
bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3
mode http
acl domain_www hdr_beg(host) -i www.
acl domain_private hdr_beg(host) -i private.
acl path_ghost path_beg /ghost/
acl clientcert ssl_c_used
redirect location https://www.example.com if path_ghost !clientcert
redirect location https://www.example.com if !domain_www !clientcert
use_backend bknd_private if domain_private
use_backend bknd_www if domain_www
default_backend bknd_www
What this should do is ask for a client certificate (optionally) and proceed. If the domain is not www.example.com and the visitor cannot provide the right certificate or the path is /ghost/ and the visitor cannot provide the right certificate, it should be redirected to https://www.example.com
So far, this works fine. However, I got complaints by Mac users browsing my site with Safari that they keep getting asked for the certificate when there browsing on https://www.example.com/ whereas for example Firefox only asks when browsing https://private.example.com/ or https://www.example.com/ghost/.
Appearently that's just how Safari works so I can't fix that. My idea was to use SNI to divide between different frontends
frontend mysite_https
bind *.443 ssl crt /etc/mycert.pem no-sslv3
frontend private_https
bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3
Of course that doesn't work because
a. I can't have two frontends listening on port 443 with only one public IP
b. I haven't found a way yet to say "use_frontend if domain_www" or something like that. (Only use_backend or use-server)
I also tried doing it with three haproxy servers
frontend haproxy-sni
bind *:443 ssl crt /etc/mycert.pem no-sslv3
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if req.ssl_hello_type 1
acl domain_www ssl_fc_sni_end -i www.example.com
use-server server1 haproxy-private.lan if !domain_www
use-server server2 haproxy-public.lan if domain_www
This works, the problem here however is that haproxy-private asks for the client certificate, but the request doesn't reach the browser. Somehow haproxy-sni drops the request.
Also, I now have three haproxy servers which is not desirable (although a possible option if I can't find a better solution).
Preferably I would like something like this (made up.. don't know the real options)
frontend mysite_https
bind *.443 ssl crt /etc/mycert.pem no-sslv3
mode http
acl domain_www hdr_beg(host) -i www.
acl domain_private hdr_beg(host) -i private.
acl path_ghost path_beg /ghost/
ssl_options ca-file /etc/myca.pem verify optional if !www_domain # made up!
ssl_options ca-file /etc/myca.pem verify optional if !path_ghost # made up!
acl clientcert ssl_c_used
redirect location https://www.example.com if path_ghost !clientcert
redirect location https://www.example.com if !domain_www !clientcert
...
I hope someone can help me with this...
ssl haproxy sni
asked Jan 27 '15 at 11:51
mohrphiummohrphium
3752716
add a comment |
I have HAProxy for my two sites, one of them public and one private.
www.mysite.com
private.mysite.com
Atm, I'm using haproxy like this:
frontend mysite_https
bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3
mode http
acl domain_www hdr_beg(host) -i www.
acl domain_private hdr_beg(host) -i private.
acl path_ghost path_beg /ghost/
acl clientcert ssl_c_used
redirect location https://www.example.com if path_ghost !clientcert
redirect location https://www.example.com if !domain_www !clientcert
use_backend bknd_private if domain_private
use_backend bknd_www if domain_www
default_backend bknd_www
What this should do is ask for a client certificate (optionally) and proceed. If the domain is not www.example.com and the visitor cannot provide the right certificate or the path is /ghost/ and the visitor cannot provide the right certificate, it should be redirected to https://www.example.com
So far, this works fine. However, I got complaints by Mac users browsing my site with Safari that they keep getting asked for the certificate when there browsing on https://www.example.com/ whereas for example Firefox only asks when browsing https://private.example.com/ or https://www.example.com/ghost/.
Appearently that's just how Safari works so I can't fix that. My idea was to use SNI to divide between different frontends
frontend mysite_https
bind *.443 ssl crt /etc/mycert.pem no-sslv3
frontend private_https
bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3
Of course that doesn't work because
a. I can't have two frontends listening on port 443 with only one public IP
b. I haven't found a way yet to say "use_frontend if domain_www" or something like that. (Only use_backend or use-server)
I also tried doing it with three haproxy servers
frontend haproxy-sni
bind *:443 ssl crt /etc/mycert.pem no-sslv3
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if req.ssl_hello_type 1
acl domain_www ssl_fc_sni_end -i www.example.com
use-server server1 haproxy-private.lan if !domain_www
use-server server2 haproxy-public.lan if domain_www
This works, the problem here however is that haproxy-private asks for the client certificate, but the request doesn't reach the browser. Somehow haproxy-sni drops the request.
Also, I now have three haproxy servers which is not desirable (although a possible option if I can't find a better solution).
Preferably I would like something like this (made up.. don't know the real options)
frontend mysite_https
bind *.443 ssl crt /etc/mycert.pem no-sslv3
mode http
acl domain_www hdr_beg(host) -i www.
acl domain_private hdr_beg(host) -i private.
acl path_ghost path_beg /ghost/
ssl_options ca-file /etc/myca.pem verify optional if !www_domain # made up!
ssl_options ca-file /etc/myca.pem verify optional if !path_ghost # made up!
acl clientcert ssl_c_used
redirect location https://www.example.com if path_ghost !clientcert
redirect location https://www.example.com if !domain_www !clientcert
...
I hope someone can help me with this...
ssl haproxy sni
asked Jan 27 '15 at 11:51
mohrphiummohrphium
3752716
add a comment |
I have HAProxy for my two sites, one of them public and one private.
www.mysite.com
private.mysite.com
Atm, I'm using haproxy like this:
frontend mysite_https
bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3
mode http
acl domain_www hdr_beg(host) -i www.
acl domain_private hdr_beg(host) -i private.
acl path_ghost path_beg /ghost/
acl clientcert ssl_c_used
redirect location https://www.example.com if path_ghost !clientcert
redirect location https://www.example.com if !domain_www !clientcert
use_backend bknd_private if domain_private
use_backend bknd_www if domain_www
default_backend bknd_www
What this should do is ask for a client certificate (optionally) and proceed. If the domain is not www.example.com and the visitor cannot provide the right certificate or the path is /ghost/ and the visitor cannot provide the right certificate, it should be redirected to https://www.example.com
So far, this works fine. However, I got complaints by Mac users browsing my site with Safari that they keep getting asked for the certificate when there browsing on https://www.example.com/ whereas for example Firefox only asks when browsing https://private.example.com/ or https://www.example.com/ghost/.
Appearently that's just how Safari works so I can't fix that. My idea was to use SNI to divide between different frontends
frontend mysite_https
bind *.443 ssl crt /etc/mycert.pem no-sslv3
frontend private_https
bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3
Of course that doesn't work because
a. I can't have two frontends listening on port 443 with only one public IP
b. I haven't found a way yet to say "use_frontend if domain_www" or something like that. (Only use_backend or use-server)
I also tried doing it with three haproxy servers
frontend haproxy-sni
bind *:443 ssl crt /etc/mycert.pem no-sslv3
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if req.ssl_hello_type 1
acl domain_www ssl_fc_sni_end -i www.example.com
use-server server1 haproxy-private.lan if !domain_www
use-server server2 haproxy-public.lan if domain_www
This works, the problem here however is that haproxy-private asks for the client certificate, but the request doesn't reach the browser. Somehow haproxy-sni drops the request.
Also, I now have three haproxy servers which is not desirable (although a possible option if I can't find a better solution).
Preferably I would like something like this (made up.. don't know the real options)
frontend mysite_https
bind *.443 ssl crt /etc/mycert.pem no-sslv3
mode http
acl domain_www hdr_beg(host) -i www.
acl domain_private hdr_beg(host) -i private.
acl path_ghost path_beg /ghost/
ssl_options ca-file /etc/myca.pem verify optional if !www_domain # made up!
ssl_options ca-file /etc/myca.pem verify optional if !path_ghost # made up!
acl clientcert ssl_c_used
redirect location https://www.example.com if path_ghost !clientcert
redirect location https://www.example.com if !domain_www !clientcert
...
I hope someone can help me with this...
ssl haproxy sni
asked Jan 27 '15 at 11:51
mohrphiummohrphium
3752716
I have HAProxy for my two sites, one of them public and one private.
www.mysite.com
private.mysite.com
Atm, I'm using haproxy like this:
frontend mysite_https
bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3
mode http
acl domain_www hdr_beg(host) -i www.
acl domain_private hdr_beg(host) -i private.
acl path_ghost path_beg /ghost/
acl clientcert ssl_c_used
redirect location https://www.example.com if path_ghost !clientcert
redirect location https://www.example.com if !domain_www !clientcert
use_backend bknd_private if domain_private
use_backend bknd_www if domain_www
default_backend bknd_www
What this should do is ask for a client certificate (optionally) and proceed. If the domain is not www.example.com and the visitor cannot provide the right certificate or the path is /ghost/ and the visitor cannot provide the right certificate, it should be redirected to https://www.example.com
So far, this works fine. However, I got complaints by Mac users browsing my site with Safari that they keep getting asked for the certificate when there browsing on https://www.example.com/ whereas for example Firefox only asks when browsing https://private.example.com/ or https://www.example.com/ghost/.
Appearently that's just how Safari works so I can't fix that. My idea was to use SNI to divide between different frontends
frontend mysite_https
bind *.443 ssl crt /etc/mycert.pem no-sslv3
frontend private_https
bind *.443 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3
Of course that doesn't work because
a. I can't have two frontends listening on port 443 with only one public IP
b. I haven't found a way yet to say "use_frontend if domain_www" or something like that. (Only use_backend or use-server)
I also tried doing it with three haproxy servers
frontend haproxy-sni
bind *:443 ssl crt /etc/mycert.pem no-sslv3
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if req.ssl_hello_type 1
acl domain_www ssl_fc_sni_end -i www.example.com
use-server server1 haproxy-private.lan if !domain_www
use-server server2 haproxy-public.lan if domain_www
This works, the problem here however is that haproxy-private asks for the client certificate, but the request doesn't reach the browser. Somehow haproxy-sni drops the request.
Also, I now have three haproxy servers which is not desirable (although a possible option if I can't find a better solution).
Preferably I would like something like this (made up.. don't know the real options)
frontend mysite_https
bind *.443 ssl crt /etc/mycert.pem no-sslv3
mode http
acl domain_www hdr_beg(host) -i www.
acl domain_private hdr_beg(host) -i private.
acl path_ghost path_beg /ghost/
ssl_options ca-file /etc/myca.pem verify optional if !www_domain # made up!
ssl_options ca-file /etc/myca.pem verify optional if !path_ghost # made up!
acl clientcert ssl_c_used
redirect location https://www.example.com if path_ghost !clientcert
redirect location https://www.example.com if !domain_www !clientcert
...
I hope someone can help me with this...
ssl haproxy sni
ssl haproxy sni
asked Jan 27 '15 at 11:51
mohrphiummohrphium
3752716
asked Jan 27 '15 at 11:51
mohrphiummohrphium
3752716
asked Jan 27 '15 at 11:51
mohrphiummohrphium
3752716
asked Jan 27 '15 at 11:51
mohrphiummohrphium
3752716
asked Jan 27 '15 at 11:51
mohrphiummohrphium
3752716
3752716
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
I found a solution to this problem, that doesn't require additional servers or services.
I'm not entirely sure if this doesn't spawn new problems though. For me it seems to work right now.
The way I did it, was to create a frontend for each domain that required different ssl settings. I then set the bind option of those frontends to high ports (these are not reachable from public!).
I created another frontend listening on port :443 to divide traffic based on SNI, and set the backend servers to 127.0.0.1:high-port.
This way, I created sort of a loop in haproxy
[incoming]->[haproxy:443]->[haproxy:7000]->[www.intern.lan]
[incoming]->[haproxy:443]->[haproxy:8000]->[private.intern.lan]
Here is the config part.
frontend frnd_snipt # Frontend_SNI-PassThrough (snipt)
bind *:443 # Do not use bind *:8443 ssl crt etc....!
option tcplog
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if req_ssl_hello_type 1
acl subdomain_is_www req_ssl_sni -i www.example.com
acl subdomain_is_www req_ssl_sni -i example.com
acl subdomain_is_private req_ssl_sni -i private.example.com
use_backend bknd_snipt_private if subdomain_is_private
use_backend bknd_snipt_www if subdomain_is_www
backend bknd_snipt_www
mode tcp # tcp mode must match the frontend mode - already set as default in [global]
server snipt-www 127.0.0.1:7000 # run without "check", otherwise haproxy checks itself all the time!
backend bknd_snipt_private
mode tcp
server snipt-private 127.0.0.1:8000 # also, don't add "ssl" when in tcp mode. "ssl" is an http mode option (result in "NO-SRV" when set in tcp)
##### NORMAL HAPROXY PART #####
frontend www_example_com # this frontend can be in tcp or http mode...
bind *:7000 ssl crt /etc/mycert.pem no-sslv3 # www. frontend with normal https
mode http
option httplog
frontend private_example_com
bind *:8000 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3 # private. frontend with client certificate request.
mode http
option httplog
... # whatever you have in your frontend
If anyone has thoughts on this, or any idea why this could be a bad idea please let me know. It works, but I'm wondering why use_frontend isn't an option. Maybe because it's something that shouldn't be done for whatever reasons.
answered Jan 31 '15 at 10:29
mohrphiummohrphium
3752716
Good idea. I could not find documentation on this setup either. Is performance similar with this HAProxy loop ?
– JB.
Aug 24 '15 at 9:25
Sry, i don't know how performant it is because A: didn't use it for long (because of source ip filters), B: don't have a hight traffic site, where performance optimization would be more interesting...
– mohrphium
Aug 24 '15 at 16:33
I just put apache2 in front of haproxy, which works but is sort of stupid because single-point-of-failure in front of hapeoxy cluster and (i think) performance bottleneck (i think hap is faster than ap2, got no real data on that though.)
– mohrphium
Aug 24 '15 at 16:41
add a comment |
recent versions of haproxy support a setting called crt-list which allows you to specify different TLS settings based on the matched certificate
you can use it like this:
haproxy.conf:
frontend https
mode http
bind *:443 ssl crt-list /etc/haproxy/crt-list.conf ca-file ca.pem
use_backend test if ssl_fc_sni -i test.area.example.org
use_backend private if ssl_fc_sni -i private.example.org
default_backend www
crt-list.conf:
www.pem [verify none]
www.pem [verify required] *.area.example.org
private.pem [verify required]
more info: https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-crt-list
note on security: always match your (sensitive) hostnames against SNI ssl_fc_sni, not the HTTP hostname. Otherwise an attacker could possibly bypass your client cert auth by sending the TLS SNI of www.example.org but set the HTTP hostname to private.example.org!
answered May 4 at 12:59
freakerfreaker
1113
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f662662%2fhaproxy-with-sni-and-different-ssl-settings%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I found a solution to this problem, that doesn't require additional servers or services.
I'm not entirely sure if this doesn't spawn new problems though. For me it seems to work right now.
The way I did it, was to create a frontend for each domain that required different ssl settings. I then set the bind option of those frontends to high ports (these are not reachable from public!).
I created another frontend listening on port :443 to divide traffic based on SNI, and set the backend servers to 127.0.0.1:high-port.
This way, I created sort of a loop in haproxy
[incoming]->[haproxy:443]->[haproxy:7000]->[www.intern.lan]
[incoming]->[haproxy:443]->[haproxy:8000]->[private.intern.lan]
Here is the config part.
frontend frnd_snipt # Frontend_SNI-PassThrough (snipt)
bind *:443 # Do not use bind *:8443 ssl crt etc....!
option tcplog
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if req_ssl_hello_type 1
acl subdomain_is_www req_ssl_sni -i www.example.com
acl subdomain_is_www req_ssl_sni -i example.com
acl subdomain_is_private req_ssl_sni -i private.example.com
use_backend bknd_snipt_private if subdomain_is_private
use_backend bknd_snipt_www if subdomain_is_www
backend bknd_snipt_www
mode tcp # tcp mode must match the frontend mode - already set as default in [global]
server snipt-www 127.0.0.1:7000 # run without "check", otherwise haproxy checks itself all the time!
backend bknd_snipt_private
mode tcp
server snipt-private 127.0.0.1:8000 # also, don't add "ssl" when in tcp mode. "ssl" is an http mode option (result in "NO-SRV" when set in tcp)
##### NORMAL HAPROXY PART #####
frontend www_example_com # this frontend can be in tcp or http mode...
bind *:7000 ssl crt /etc/mycert.pem no-sslv3 # www. frontend with normal https
mode http
option httplog
frontend private_example_com
bind *:8000 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3 # private. frontend with client certificate request.
mode http
option httplog
... # whatever you have in your frontend
If anyone has thoughts on this, or any idea why this could be a bad idea please let me know. It works, but I'm wondering why use_frontend isn't an option. Maybe because it's something that shouldn't be done for whatever reasons.
answered Jan 31 '15 at 10:29
mohrphiummohrphium
3752716
Good idea. I could not find documentation on this setup either. Is performance similar with this HAProxy loop ?
– JB.
Aug 24 '15 at 9:25
Sry, i don't know how performant it is because A: didn't use it for long (because of source ip filters), B: don't have a hight traffic site, where performance optimization would be more interesting...
– mohrphium
Aug 24 '15 at 16:33
I just put apache2 in front of haproxy, which works but is sort of stupid because single-point-of-failure in front of hapeoxy cluster and (i think) performance bottleneck (i think hap is faster than ap2, got no real data on that though.)
– mohrphium
Aug 24 '15 at 16:41
add a comment |
I found a solution to this problem, that doesn't require additional servers or services.
I'm not entirely sure if this doesn't spawn new problems though. For me it seems to work right now.
The way I did it, was to create a frontend for each domain that required different ssl settings. I then set the bind option of those frontends to high ports (these are not reachable from public!).
I created another frontend listening on port :443 to divide traffic based on SNI, and set the backend servers to 127.0.0.1:high-port.
This way, I created sort of a loop in haproxy
[incoming]->[haproxy:443]->[haproxy:7000]->[www.intern.lan]
[incoming]->[haproxy:443]->[haproxy:8000]->[private.intern.lan]
Here is the config part.
frontend frnd_snipt # Frontend_SNI-PassThrough (snipt)
bind *:443 # Do not use bind *:8443 ssl crt etc....!
option tcplog
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if req_ssl_hello_type 1
acl subdomain_is_www req_ssl_sni -i www.example.com
acl subdomain_is_www req_ssl_sni -i example.com
acl subdomain_is_private req_ssl_sni -i private.example.com
use_backend bknd_snipt_private if subdomain_is_private
use_backend bknd_snipt_www if subdomain_is_www
backend bknd_snipt_www
mode tcp # tcp mode must match the frontend mode - already set as default in [global]
server snipt-www 127.0.0.1:7000 # run without "check", otherwise haproxy checks itself all the time!
backend bknd_snipt_private
mode tcp
server snipt-private 127.0.0.1:8000 # also, don't add "ssl" when in tcp mode. "ssl" is an http mode option (result in "NO-SRV" when set in tcp)
##### NORMAL HAPROXY PART #####
frontend www_example_com # this frontend can be in tcp or http mode...
bind *:7000 ssl crt /etc/mycert.pem no-sslv3 # www. frontend with normal https
mode http
option httplog
frontend private_example_com
bind *:8000 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3 # private. frontend with client certificate request.
mode http
option httplog
... # whatever you have in your frontend
If anyone has thoughts on this, or any idea why this could be a bad idea please let me know. It works, but I'm wondering why use_frontend isn't an option. Maybe because it's something that shouldn't be done for whatever reasons.
answered Jan 31 '15 at 10:29
mohrphiummohrphium
3752716
Good idea. I could not find documentation on this setup either. Is performance similar with this HAProxy loop ?
– JB.
Aug 24 '15 at 9:25
Sry, i don't know how performant it is because A: didn't use it for long (because of source ip filters), B: don't have a hight traffic site, where performance optimization would be more interesting...
– mohrphium
Aug 24 '15 at 16:33
I just put apache2 in front of haproxy, which works but is sort of stupid because single-point-of-failure in front of hapeoxy cluster and (i think) performance bottleneck (i think hap is faster than ap2, got no real data on that though.)
– mohrphium
Aug 24 '15 at 16:41
add a comment |
I found a solution to this problem, that doesn't require additional servers or services.
I'm not entirely sure if this doesn't spawn new problems though. For me it seems to work right now.
The way I did it, was to create a frontend for each domain that required different ssl settings. I then set the bind option of those frontends to high ports (these are not reachable from public!).
I created another frontend listening on port :443 to divide traffic based on SNI, and set the backend servers to 127.0.0.1:high-port.
This way, I created sort of a loop in haproxy
[incoming]->[haproxy:443]->[haproxy:7000]->[www.intern.lan]
[incoming]->[haproxy:443]->[haproxy:8000]->[private.intern.lan]
Here is the config part.
frontend frnd_snipt # Frontend_SNI-PassThrough (snipt)
bind *:443 # Do not use bind *:8443 ssl crt etc....!
option tcplog
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if req_ssl_hello_type 1
acl subdomain_is_www req_ssl_sni -i www.example.com
acl subdomain_is_www req_ssl_sni -i example.com
acl subdomain_is_private req_ssl_sni -i private.example.com
use_backend bknd_snipt_private if subdomain_is_private
use_backend bknd_snipt_www if subdomain_is_www
backend bknd_snipt_www
mode tcp # tcp mode must match the frontend mode - already set as default in [global]
server snipt-www 127.0.0.1:7000 # run without "check", otherwise haproxy checks itself all the time!
backend bknd_snipt_private
mode tcp
server snipt-private 127.0.0.1:8000 # also, don't add "ssl" when in tcp mode. "ssl" is an http mode option (result in "NO-SRV" when set in tcp)
##### NORMAL HAPROXY PART #####
frontend www_example_com # this frontend can be in tcp or http mode...
bind *:7000 ssl crt /etc/mycert.pem no-sslv3 # www. frontend with normal https
mode http
option httplog
frontend private_example_com
bind *:8000 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3 # private. frontend with client certificate request.
mode http
option httplog
... # whatever you have in your frontend
If anyone has thoughts on this, or any idea why this could be a bad idea please let me know. It works, but I'm wondering why use_frontend isn't an option. Maybe because it's something that shouldn't be done for whatever reasons.
answered Jan 31 '15 at 10:29
mohrphiummohrphium
3752716
I found a solution to this problem, that doesn't require additional servers or services.
I'm not entirely sure if this doesn't spawn new problems though. For me it seems to work right now.
The way I did it, was to create a frontend for each domain that required different ssl settings. I then set the bind option of those frontends to high ports (these are not reachable from public!).
I created another frontend listening on port :443 to divide traffic based on SNI, and set the backend servers to 127.0.0.1:high-port.
This way, I created sort of a loop in haproxy
[incoming]->[haproxy:443]->[haproxy:7000]->[www.intern.lan]
[incoming]->[haproxy:443]->[haproxy:8000]->[private.intern.lan]
Here is the config part.
frontend frnd_snipt # Frontend_SNI-PassThrough (snipt)
bind *:443 # Do not use bind *:8443 ssl crt etc....!
option tcplog
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if req_ssl_hello_type 1
acl subdomain_is_www req_ssl_sni -i www.example.com
acl subdomain_is_www req_ssl_sni -i example.com
acl subdomain_is_private req_ssl_sni -i private.example.com
use_backend bknd_snipt_private if subdomain_is_private
use_backend bknd_snipt_www if subdomain_is_www
backend bknd_snipt_www
mode tcp # tcp mode must match the frontend mode - already set as default in [global]
server snipt-www 127.0.0.1:7000 # run without "check", otherwise haproxy checks itself all the time!
backend bknd_snipt_private
mode tcp
server snipt-private 127.0.0.1:8000 # also, don't add "ssl" when in tcp mode. "ssl" is an http mode option (result in "NO-SRV" when set in tcp)
##### NORMAL HAPROXY PART #####
frontend www_example_com # this frontend can be in tcp or http mode...
bind *:7000 ssl crt /etc/mycert.pem no-sslv3 # www. frontend with normal https
mode http
option httplog
frontend private_example_com
bind *:8000 ssl crt /etc/mycert.pem ca-file /etc/myca.pem verify optional no-sslv3 # private. frontend with client certificate request.
mode http
option httplog
... # whatever you have in your frontend
If anyone has thoughts on this, or any idea why this could be a bad idea please let me know. It works, but I'm wondering why use_frontend isn't an option. Maybe because it's something that shouldn't be done for whatever reasons.
answered Jan 31 '15 at 10:29
mohrphiummohrphium
3752716
answered Jan 31 '15 at 10:29
mohrphiummohrphium
3752716
answered Jan 31 '15 at 10:29
mohrphiummohrphium
3752716
answered Jan 31 '15 at 10:29
mohrphiummohrphium
3752716
3752716
Good idea. I could not find documentation on this setup either. Is performance similar with this HAProxy loop ?
– JB.
Aug 24 '15 at 9:25
Sry, i don't know how performant it is because A: didn't use it for long (because of source ip filters), B: don't have a hight traffic site, where performance optimization would be more interesting...
– mohrphium
Aug 24 '15 at 16:33
I just put apache2 in front of haproxy, which works but is sort of stupid because single-point-of-failure in front of hapeoxy cluster and (i think) performance bottleneck (i think hap is faster than ap2, got no real data on that though.)
– mohrphium
Aug 24 '15 at 16:41
add a comment |
Good idea. I could not find documentation on this setup either. Is performance similar with this HAProxy loop ?
– JB.
Aug 24 '15 at 9:25
Sry, i don't know how performant it is because A: didn't use it for long (because of source ip filters), B: don't have a hight traffic site, where performance optimization would be more interesting...
– mohrphium
Aug 24 '15 at 16:33
I just put apache2 in front of haproxy, which works but is sort of stupid because single-point-of-failure in front of hapeoxy cluster and (i think) performance bottleneck (i think hap is faster than ap2, got no real data on that though.)
– mohrphium
Aug 24 '15 at 16:41
Good idea. I could not find documentation on this setup either. Is performance similar with this HAProxy loop ?
– JB.
Aug 24 '15 at 9:25
Good idea. I could not find documentation on this setup either. Is performance similar with this HAProxy loop ?
– JB.
Aug 24 '15 at 9:25
Sry, i don't know how performant it is because A: didn't use it for long (because of source ip filters), B: don't have a hight traffic site, where performance optimization would be more interesting...
– mohrphium
Aug 24 '15 at 16:33
Sry, i don't know how performant it is because A: didn't use it for long (because of source ip filters), B: don't have a hight traffic site, where performance optimization would be more interesting...
– mohrphium
Aug 24 '15 at 16:33
I just put apache2 in front of haproxy, which works but is sort of stupid because single-point-of-failure in front of hapeoxy cluster and (i think) performance bottleneck (i think hap is faster than ap2, got no real data on that though.)
– mohrphium
Aug 24 '15 at 16:41
I just put apache2 in front of haproxy, which works but is sort of stupid because single-point-of-failure in front of hapeoxy cluster and (i think) performance bottleneck (i think hap is faster than ap2, got no real data on that though.)
– mohrphium
Aug 24 '15 at 16:41
add a comment |
recent versions of haproxy support a setting called crt-list which allows you to specify different TLS settings based on the matched certificate
you can use it like this:
haproxy.conf:
frontend https
mode http
bind *:443 ssl crt-list /etc/haproxy/crt-list.conf ca-file ca.pem
use_backend test if ssl_fc_sni -i test.area.example.org
use_backend private if ssl_fc_sni -i private.example.org
default_backend www
crt-list.conf:
www.pem [verify none]
www.pem [verify required] *.area.example.org
private.pem [verify required]
more info: https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-crt-list
note on security: always match your (sensitive) hostnames against SNI ssl_fc_sni, not the HTTP hostname. Otherwise an attacker could possibly bypass your client cert auth by sending the TLS SNI of www.example.org but set the HTTP hostname to private.example.org!
answered May 4 at 12:59
freakerfreaker
1113
add a comment |
recent versions of haproxy support a setting called crt-list which allows you to specify different TLS settings based on the matched certificate
you can use it like this:
haproxy.conf:
frontend https
mode http
bind *:443 ssl crt-list /etc/haproxy/crt-list.conf ca-file ca.pem
use_backend test if ssl_fc_sni -i test.area.example.org
use_backend private if ssl_fc_sni -i private.example.org
default_backend www
crt-list.conf:
www.pem [verify none]
www.pem [verify required] *.area.example.org
private.pem [verify required]
more info: https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-crt-list
note on security: always match your (sensitive) hostnames against SNI ssl_fc_sni, not the HTTP hostname. Otherwise an attacker could possibly bypass your client cert auth by sending the TLS SNI of www.example.org but set the HTTP hostname to private.example.org!
answered May 4 at 12:59
freakerfreaker
1113
add a comment |
recent versions of haproxy support a setting called crt-list which allows you to specify different TLS settings based on the matched certificate
you can use it like this:
haproxy.conf:
frontend https
mode http
bind *:443 ssl crt-list /etc/haproxy/crt-list.conf ca-file ca.pem
use_backend test if ssl_fc_sni -i test.area.example.org
use_backend private if ssl_fc_sni -i private.example.org
default_backend www
crt-list.conf:
www.pem [verify none]
www.pem [verify required] *.area.example.org
private.pem [verify required]
more info: https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-crt-list
note on security: always match your (sensitive) hostnames against SNI ssl_fc_sni, not the HTTP hostname. Otherwise an attacker could possibly bypass your client cert auth by sending the TLS SNI of www.example.org but set the HTTP hostname to private.example.org!
answered May 4 at 12:59
freakerfreaker
1113
recent versions of haproxy support a setting called crt-list which allows you to specify different TLS settings based on the matched certificate
you can use it like this:
haproxy.conf:
frontend https
mode http
bind *:443 ssl crt-list /etc/haproxy/crt-list.conf ca-file ca.pem
use_backend test if ssl_fc_sni -i test.area.example.org
use_backend private if ssl_fc_sni -i private.example.org
default_backend www
crt-list.conf:
www.pem [verify none]
www.pem [verify required] *.area.example.org
private.pem [verify required]
more info: https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#5.1-crt-list
note on security: always match your (sensitive) hostnames against SNI ssl_fc_sni, not the HTTP hostname. Otherwise an attacker could possibly bypass your client cert auth by sending the TLS SNI of www.example.org but set the HTTP hostname to private.example.org!
answered May 4 at 12:59
freakerfreaker
1113
answered May 4 at 12:59
freakerfreaker
1113
answered May 4 at 12:59
freakerfreaker
1113
answered May 4 at 12:59
freakerfreaker
1113
1113
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f662662%2fhaproxy-with-sni-and-different-ssl-settings%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
