Re: Question about SNI

[rainer]

Am 2019-06-25 16:54, schrieb Lukas Tribus:
Hello Rainer,

On Tue, 25 Jun 2019 at 16:18, <rai...@ultra-secure.de> wrote:
The requests from the healthchecks *do* arrive at the right vhosts on
the backend, there's a code 200 in the logs.
So, I wonder what exactly is timing out for haproxy.
The server on the other end does not accept non-SNI connections, 
there's
an SSL handshake error if you don't do SNI.


At this point, I feel pretty dumb.

Health checks are fine.
Actual requests with your production traffic are not.

check-sni specifies the SNI value to use for health-checks ONLY.
sni specifies the SNI value for actual traffic ONLY.
You need both though.

So you servers look like this for example, notice that both check-sni
and sni is configured:

server server1 10.10.10.11:443 check check-ssl ssl verify none
force-tlsv12 maxconn 3000 cookie s1 check-sni host3.intern sni
str(host3.intern)
server server2 10.10.10.12:443 check check-ssl ssl verify none
force-tlsv12 maxconn 3000 cookie s2 check-sni host3.intern sni
str(host3.intern)

If you only configure check-sni, only health checks work, production
traffic will not.


Ah, OK.
Thanks.


However, I still get L7TOUT on the healthchecks.

This is the haproxy that came with Ubuntu 18.04.2, haproxy 1.8.8.
At this point, I wonder if the keepalive configuration on the host has 
any influence on this.
Though, it could also be an IIS-thing.
If my co-worker removes the application from the app-server, the 
healthcheck turns ok.

time curl -kv  -I --resolve "app-api.dom.intern:443:10.200.16.36"  -H 
"Host: app-api.dom.intern" -o /dev/null  
https://app-api.dom.intern:443/swagger/ui/index
* Added app-api.dom.intern:443:10.200.16.36 to DNS cache
* Hostname app-api.dom.intern was found in DNS cache
*   Trying 10.200.16.36...
* TCP_NODELAY set
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  
Current
                                 Dload  Upload   Total   Spent    Left  
Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:-- 
    0* Connected to app-api.dom.intern (10.200.16.36) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [218 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [98 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [827 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.dom.intern
*  start date: Jun 19 11:49:25 2019 GMT
*  expire date: Jun 19 11:59:26 2039 GMT
*  issuer: CN=*.dom.intern
*  SSL certificate verify result: unable to get local issuer certificate 
(20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after 
upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55ed4bbd0900)
} [5 bytes data]
HEAD /swagger/ui/index HTTP/2
Host: app-api.dom.intern
User-Agent: curl/7.58.0
Accept: */*

{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
} [5 bytes data]
< HTTP/2 200
< cache-control: no-cache
< pragma: no-cache
< content-type: text/html
< expires: -1
< server: Microsoft-IIS/10.0
< x-aspnet-version: 4.0.30319
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< x-frame-options: SAMEORIGIN
< access-control-allow-origin: https://app-bo.dom.intern
< access-control-allow-headers: Origin, X-Requested-With, Content-Type, 
Authorization, X-Token-Jwt
< access-control-allow-credentials: true
< access-control-allow-methods: *
< date: Tue, 25 Jun 2019 15:52:40 GMT
<
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:-- 
    0
* Connection #0 to host app-api.dom.intern left intact

real    0m0.034s
user    0m0.011s
sys     0m0.008s



backend app_api
  mode http
  server ISOPROD036 10.200.16.36:443 check check-ssl ssl verify none 
force-tlsv12 maxconn 3000 cookie s1 check-sni app-api.dom.intern sni 
str(app-api.dom.intern)
  server ISOPROD037 10.200.16.37:443 check check-ssl ssl verify none 
force-tlsv12 maxconn 3000 cookie s2 check-sni app-api.dom.intern sni 
str(app-api.dom.intern)
  option httpclose
  option forwardfor
  option httpchk GET /swagger/ui/index HTTP/1.1\r\nHost:\ 
app-api.dom.intern\r\nUser-agent:\ LB-Check-API\r\nConnection:\ close
  http-check expect string Hello
  http-check disable-on-404
  cookie SERVERID insert indirect nocache httponly
  balance leastconn