On 5 May 2016 9:16 pm, "Hector Rivas Gandara" <
[email protected]> wrote:
>
> Hello,
>
> we are trying to configure this architecture:
>
> * ELB terminating SSL, using preconfigured certificates. (this is a
> requirement because so only restricted people has access to the end
> user certs)
> * ELB connects to HAproxy backend using SSL (also requirement)
> * ELB sends proxy headers as described in http://amzn.to/1YajEG3
>
> * HAproxy listens SSL in 443
> * HAProxy is used for doing some HTTP transformations (modify header,
etc).
>
> Once ELB is configured as SSL+Proxy protocol, we tried to configure
> HAProxy by adding accept-proxy in the bind of the HTTPS frontend:
>
> ```
> frontend https-in
> mode http
> # Note, I truncated this line because the maillist 80 chars
limitations
> bind :443 accept-proxy ssl crt \
> /var/vcap/jobs/haproxy/config/cert.pem \
> no-sslv3 ciphers ...
> ...
> ```
>
> But it fails: `Received something which does not look like a PROXY
> protocol header`.
>
> Troubleshooting I found that ELB sends the PROXY header INSIDE of
> the SSL stream. For instance, I run openssl:
>
> ```
> $ openssl s_server -accept 443 -cert cert.pem
> ...
>
> ACCEPT
> bad gethostbyaddr
> -----BEGIN SSL SESSION PARAMETERS-----
> MFUCAQECAgMDBAIAnwQABDBsAWD78V/tz9KhYw4R/kpL5YPBxfF1qcmzxlclNDuz
> 0KWw9aGojVogjtBkH/zZOLWhBgIEVyoquqIEAgIBLKQGBAQBAAAA
> -----END SSL SESSION PARAMETERS-----
> Shared
> ciphers:...
> CIPHER is DHE-RSA-AES256-GCM-SHA384
> Secure Renegotiation IS supported
> PROXY TCP4 80.194.77.90 192.168.6.14 39220 443
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: something.com
> Accept: */*
> ```
>
> So I did a "chained" config in haproxy, one to do the SSL termination
> with pure TCP and the other to "extract" the proxy-protocol and do the
> HTTP transformations:
>
> ```
> listen https-in
> mode tcp
> bind :443 ssl crt /var/vcap/jobs/haproxy/config/cert.pem no-sslv3
> ciphers ...
> server http 127.0.0.1:8081
>
> frontend http-in-from-ssl
> mode http
> bind :8081 accept-proxy
> option httplog
> option forwardfor
> reqadd X-Forwarded-Proto:\ https
> default_backend http-routers
>
> ```
>
> And that works!!!
>
> So my questions are:
>
> * Is this normal and expected? I cannot find any information about that.
> * Is it possible to change the ELB behaviour to put the proxy-protocol
> header OUTSIDE of the SSL stream? I did not find any info about that.
> * If not. Is it possible to change the behaviour of HAProxy to use one
> frontend but read the proxy-protocol header from inside the SSL
> stream?
> * If not, is there a better way to 'chain' the config as I did above.
>
> Thank you!
>
>
https://jve.linuxwall.info/ressources/taf/haproxy-aws/
