Hello,
Sorry I was confused about what the client wanted. First I thought hat they
want to talk ssl with the backend but they actually want a client certificate
authentication. I have modified my haproxy.cfg with the following
configurations:
log /dev/log local0
log 127.0.0.1 local2
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 600 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 20000
#Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option forwardfor
option http-server-close
option httplog
option dontlognull
timeout connect 5000ms
timeout client 300s
timeout server 300s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
stats enable
stats hide-version
# stats scope .
stats uri /admin?stats
stats realm Haproxy\ Statistics
stats auth admin:K1l1m4ndj4r0
stats refresh 5s
frontend http-in
bind 10.0.0.2:80
redirect scheme https code 301 if !{ ssl_fc }
frontend https-in
bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt
mode http
acl client_ssl path_beg /service/ws
redirect location https://10.0.0.2/service/ws if client_ssl
default_backend idfusion_all
frontend apidev
bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt ca-file
/etc/ssl/certs/ca-certificates.crt verify required
mode http
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
acl client_ssl path_beg /service/ws
redirect location https://10.0.0.2/ if !client_ssl
default_backend idfusion_all
option forwardfor
backend idfusion_all
mode http
balance leastconn
timeout connect 1s
timeout server 300s
timeout queue 30s
option redispatch
retries 3
cookie rc_cookie_vers insert indirect nocache secure
server usloft4778 192.168.0.1:8080 cookie rc_cookie_vers check inter
1000 fastinter 500 rise 2 fall 1
server loft10179 192.168.0.1:8080 cookie rc_cookie_vers check inter
1000 fastinter 500 rise 2 fall 1
This configuration is working on some browsers like safari but it does not work
with Firefox or chrome since I am having SSL_ERROR_HANDSHAKE_FAILURE_ALERT
Any idea how to fix it?
Regards,
Peter
> On 23 Aug 2017, at 10:42, Yann Cézard <[email protected]> wrote:
>
> Hi Peter,
>
> On 23/08/2017 00:48, Keresztes Péter-Zoltán wrote:
>> Hello,
>>
>> I am trying to setup haproxy with two way authentication. While the frontend
>> looks good one of the backends is giving me headaches with ssl handshake
>> failures.
>>
>> Here is how the frontends and backends does look like:
>>
>> frontend http-in
>> bind 69.64.57.197:80
>> redirect scheme https code 301 if !{ ssl_fc }
>>
>> frontend https-in
>> bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt
>> mode http
>> acl client_ssl path_beg /service/ws
>> use_backend test_client_ssl if client_ssl
>> default_backend test_all
>>
>> backend test_all
>> mode http
>> balance leastconn
>> timeout connect 1s
>> timeout server 300s
>> timeout queue 30s
>> option redispatch
>> retries 3
>> cookie rc_cookie_vers insert indirect nocache secure
>> server usloft4778 192.168.0.1:8080 cookie rc_cookie_vers check inter
>> 1000 fastinter 500 rise 2 fall 1
>> server loft10179 192.168.0.2:8080 cookie rc_cookie_vers check inter
>> 1000 fastinter 500 rise 2 fall 1
>>
>> backend test_client_ssl
>> mode http
>> balance leastconn
>> timeout connect 1s
>> timeout server 300s
>> timeout queue 30s
>> option httpchk GET "/service/ws" "HTTP/1.0"
>> cookie rc_cookie_vers insert indirect nocache secure
>> server usloft4778 192.168.0.1:8080 ssl verify required ca-file
>> /etc/ssl/certs/ca_full.crt crt /etc/ssl/certs/client.crt
>> server loft10179 192.168.0.2:8080 ssl verify required ca-file
>> /etc/ssl/certs/ca_full.crt crt /etc/ssl/certs/client.crt
> You are using the same server:port for both HTTP and HTTPS backends, I
> doubt those backend are able to speak HTTP and HTTPS
> on the same port.
> Not sure what you are trying to achieve, but the config you sent means
> that you want :
> - to connect to the backend in HTTP mode if path does not begin with
> /service/ws
> - to connect to the backend in HTTPS mode + client verification if the
> path begins with /service/ws
>
> Not sure what you are trying to do though :
> 1. two way auth between client and HAProxy ?
> 2. two way auth between HAProxy and backend servers ?
>
> For the first one, you'll have to configure that in the frontend
> (https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/
>
> <https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/>)
> For the second one, you'll probably have to check the ports you used
> between HAproxy and your backends.
>>
>> Any suggestion to make this work?
>>
>> Thanks in advance
>> Peter
> Hope this helps,
>
> Yann
> --------------------------- DISCLAIMER ------------------------- This message
> and any attachment are proprietary and confidential information and might be
> legally privileged in your country. These elements are intended solely for
> the addressee. Any unauthorized use or disclosure, in whole or in part, is
> prohibited. E-mails are subject to any alteration, change or falsification.
> The sender declines any liability to this message and any attachment. If you
> are not the intended recipient of this message, please delete this message
> and notify immediately the sender.
> --------------------------------------------------------------------
