Re: HAProxy setup

2015-12-05 Thread Jarno Huuskonen 
Hi,

On Fri, Dec 04, Milos Zupancic wrote:
> Hi,
> 
> I am looking for a solution on how to setup HaProxy and Tomcat with SSL
> termination + passing client certificate to the backend tomcat.
> 
> At the moment we use Apache for SSL termination and proxy balancer to point
> to tomcat AJP port.
> Application on tomcat needs the client certificate in order to allow
> logging in.
> 
> I have been trying various setups but nothing seems to work.
> At the moment i have something like this:
> frontend https-c-in
> mode http
> bind 192.168.0.10:443 name https ssl crt /etc/ssl/ljvfep.pem
> ca-file /etc/ssl/CA.pem verify required
> 
> ###
> http-request set-header X-SSL  %[ssl_fc]
> http-request add-header Client-Cert%[ssl_c_der,base64]
> http-request set-header X-SSL-Client-Verify%[ssl_c_verify]
> http-request set-header X-SSL-Client-DN%{+Q}[ssl_c_s_dn]
> http-request set-header X-SSL-Client-CN%{+Q}[ssl_c_s_dn(cn)]
> http-request set-header X-SSL-Issuer   %{+Q}[ssl_c_i_dn]
> http-request set-header X-SSL-Client-NotBefore
> %{+Q}[ssl_c_notbefore]
> http-request set-header X-SSL-Client-NotAfter  %{+Q}[ssl_c_notafter]
> 
> ###
> default_backend c-https
> 
> backend c-https
> mode http
> balance roundrobin
> cookie SERVERID insert nocache
> server ljvfep4 192.168.0.10:20443 check inter 2000 rise 2 fall 2
> server ljvfep3 192.168.0.11:20443 check inter 2000 rise 2 fall 2
> 
> 
> This would give me a 502 bad gateway error. If i access the tomcat directly
> all works as expected.

Is tomcat configured for ssl on port 20443 ?

> And suggestions ?

If you want to terminate SSL on haproxy (connection between
haproxy<->tomcat is http), then you can try to configure SSLValve on
tomcat (tomcat expects client certificate on SSL_CLIENT_CERT header)
and send the client cert with:
http-request add-header SSL_CLIENT_CERT -BEGIN\ CERTIFICATE-\ 
%[ssl_c_der,base64]\ -END\ CERTIFICATE-\ # don't forget last space
(http://marc.info/?l=haproxy=141460786510796=2)

-Jarno

-- 
Jarno Huuskonen

Re: Contribution for HAProxy: Peer Cipher based SSL CTX switching

2015-12-05 Thread Bryan Talbot 
On Fri, Dec 4, 2015 at 10:17 AM, Bryan Talbot  wrote:

> On Fri, Dec 4, 2015 at 6:15 AM, Dave Zhu (yanbzhu) 
> wrote:
>
>> Hey Bryan,
>> it’s strange that it’s always loading the ECC cert. I just tested the
>> code on my end and I’m not seeing this behavior.
>>
>>
> I see it on OSX, I'll test on Linux today.
>
>

On Ubuntu VERSION="14.04.3 LTS, Trusty Tahr" with OpenSSL 1.0.2e compiled
from source, haproxy is crashing with your patches and a bind line of
  bind :8443 ssl crt ./var/tls/localhost.pem

If I change the bind to be
  bind :8443 ssl crt ./var/tls/
it doesn't crash.

OpenSSL 1.0.2e was built and installed to /usr/local/ssl/ with "./config &&
make && make test && sudo make install"
haproxy 1.6.2 was built from source

make -j 4 TARGET=linux2628 USE_OPENSSL=1 SSL_INC=/usr/local/ssl/include
SSL_LIB=/usr/local/ssl/lib USE_ZLIB=1 ADDLIB=-ldl all

$> ./haproxy -vv
HA-Proxy version 1.6.2 2015/11/03
Copyright 2000-2015 Willy Tarreau 

Build options :
  TARGET  = linux2628
  CPU = generic
  CC  = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2e 3 Dec 2015
Running on OpenSSL version : OpenSSL 1.0.2e 3 Dec 2015
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built without PCRE support (using libc's regex instead)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.



$>  ./haproxy -f ./tls-test-haproxy.cfg -c
*** buffer overflow detected ***: ./haproxy terminated
=== Backtrace: =
/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7f59577da38f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f5957871c9c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7f5957870b60]
/lib/x86_64-linux-gnu/libc.so.6(__stpncpy_chk+0x0)[0x7f595786ffc0]
./haproxy[0x48dc4e]
./haproxy[0x490ec8]
./haproxy[0x493090]
./haproxy[0x4932d1]
./haproxy[0x41e27d]
./haproxy[0x42a680]
./haproxy[0x406676]
./haproxy[0x40490c]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f5957788ec5]
./haproxy[0x405963]
=== Memory map: 
0040-006cb000 r-xp  08:01 268022
/home/vagrant/haproxy-1.6.2/haproxy
008ca000-008cb000 r--p 002ca000 08:01 268022
/home/vagrant/haproxy-1.6.2/haproxy
008cb000-008dc000 rw-p 002cb000 08:01 268022
/home/vagrant/haproxy-1.6.2/haproxy
008dc000-008ed000 rw-p  00:00 0
01aee000-01b0f000 rw-p  00:00 0
 [heap]
7f5957551000-7f5957567000 r-xp  08:01 2286
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f5957567000-7f5957766000 ---p 00016000 08:01 2286
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f5957766000-7f5957767000 rw-p 00015000 08:01 2286
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f5957767000-7f5957922000 r-xp  08:01 2269
/lib/x86_64-linux-gnu/libc-2.19.so
7f5957922000-7f5957b21000 ---p 001bb000 08:01 2269
/lib/x86_64-linux-gnu/libc-2.19.so
7f5957b21000-7f5957b25000 r--p 001ba000 08:01 2269
/lib/x86_64-linux-gnu/libc-2.19.so
7f5957b25000-7f5957b27000 rw-p 001be000 08:01 2269
/lib/x86_64-linux-gnu/libc-2.19.so
7f5957b27000-7f5957b2c000 rw-p  00:00 0
7f5957b2c000-7f5957b2f000 r-xp  08:01 2138
/lib/x86_64-linux-gnu/libdl-2.19.so
7f5957b2f000-7f5957d2e000 ---p 3000 08:01 2138
/lib/x86_64-linux-gnu/libdl-2.19.so
7f5957d2e000-7f5957d2f000 r--p 2000 08:01 2138
/lib/x86_64-linux-gnu/libdl-2.19.so
7f5957d2f000-7f5957d3 rw-p 3000 08:01 2138
/lib/x86_64-linux-gnu/libdl-2.19.so
7f5957d3-7f5957d48000 r-xp  08:01 2166
/lib/x86_64-linux-gnu/libz.so.1.2.8
7f5957d48000-7f5957f47000 ---p 00018000 08:01 2166
/lib/x86_64-linux-gnu/libz.so.1.2.8
7f5957f47000-7f5957f48000 r--p 00017000 08:01 2166
/lib/x86_64-linux-gnu/libz.so.1.2.8
7f5957f48000-7f5957f49000 rw-p 00018000 08:01 2166
/lib/x86_64-linux-gnu/libz.so.1.2.8
7f5957f49000-7f5957f52000 r-xp  08:01 2314
/lib/x86_64-linux-gnu/libcrypt-2.19.so
7f5957f52000-7f5958152000 ---p 9000 08:01 2314
/lib/x86_64-linux-gnu/libcrypt-2.19.so
7f5958152000-7f5958153000 r--p 9000 08:01 2314
/lib/x86_64-linux-gnu/libcrypt-2.19.so
7f5958153000-7f5958154000 rw-p a000 08:01 2314
/lib/x86_64-linux-gnu/libcrypt-2.19.so
7f5958154000-7f5958182000 rw-p  00:00 0
7f5958182000-7f59581a5000 r-xp  08:01 2235
/lib/x86_64-linux-gnu/ld-2.19.so
7f5958396000-7f595839a000 rw-p  00:00 0
7f59583a-7f59583a4000 rw-p

Re: Lua Shell letsencrypt

2015-12-05 Thread thierry . fournier 
On Fri, 4 Dec 2015 00:23:53 -0700
Mela Luca  wrote:

> I am looking to automate letsencrypt with lua, the process would be to detect 
> to see if the domain has a cert already, if not it would execute letsencrypt 
> on the domain. 
> Any thought if this would be possible to do with lua. I am guessing using the 
> os.execute.
> 

I'm not sure that you're using the good way to do this:

 - I don't known letsencrypt very well, but I heard that the
   letsecncrypt framework expect a confirmation that the requester is
   the real owner of the web site. It requires to the owner to add a
   special webpage at a special url. So the process is very slow and it
   cannot done during an http request timing.

 - os.execute() is a blocking action. While HAProxy is waiting for the
   script response, it does nothing, and all the traffic is blocked.

Actuelly, the Lua in HAProxy only communicates with other process with
the Socket provided by the Lua/HAProxy API.

Thierry

Re: Fwd: Re: [squid-users] intercepting traffic

2015-12-05 Thread thierry . fournier 
On Thu, 03 Dec 2015 07:40:03 -0500
Brendan Kearney  wrote:

> i am looking to setup a transparent intercepting proxy, where i use 
> iptables to DNAT traffic on port 80 and redirect it to HAProxy and in 
> turn load balance to Squid for fulfillment.  the DNAT to HAProxy works 
> and the load balance to Squid works, but Squid sees the request without 
> the correct or full request.
> 
> the lovely and helpful Squid folks have said:
> 
> Whatever is receiving the packet from DNAT has to also translate the 
> HTTP layer messages from origin relative-URI format to intermediary 
> absolute-URI format.
> 
> while i understand what is being said, i don't know how to implement 
> this in HAProxy.  Where do i go for more info around how to set this up 
> in HAProxy?  Any help is greatly appreciated.


The content of a proxy request is like this:

   GET http://www.google.com/my-search HTTP/1.1
   headers: ...

The content of an http request without proxy is like this:

   GET /my-search HTTP/1.1
   Host: www.google.com
   headers: ...

Squid expects the first form, but when is its used as transparent
proxy, it accept the second form (maybe it is a good idea to confirm
this information).

Maybe you must configure squid as transparent proxy, even if its only
one client is HAProxy.

Thierry

> TIA,
> 
> brendan
> 
>  Forwarded Message 
> Subject:  Re: [squid-users] intercepting traffic
> Date: Fri, 20 Nov 2015 17:12:02 +1300
> From: Amos Jeffries 
> To:   squid-us...@lists.squid-cache.org
> 
> 
> 
> On 20/11/2015 1:09 p.m., Brendan Kearney wrote:
> > when i put in just the DNAT that sends the traffic to the proxy VIP and
> > load balances the requests to the squid instances on port 3128 (not the
> > intercept port), i issue a curl command:
> >
> > curl -vvv --noproxy squid-cache.org http://squid-cache.org/
> >
> > and get an error page saying:
> >
> > ...
> > The following error was encountered while trying to retrieve the URL:
> > /
> >
> >
> > is the DNAT stripping header info, such as the Host header, or am i
> > still missing something?
> 
> HTTP != TCP/IP ... DNAT is only changing the IP:port details.
> 
> Whatever is receiving the packet from DNAT has to also translate the
> HTTP layer messages from origin relative-URI format to intermediary
> absolute-URI format.
> 
> That rule-of-thumb "MUST rule" you mentioned earlier is about those two
> DNAT and HTTP translation operations being required to be done together
> on the same machine. It is not limited to Squid. It could be HAProxy or
> some other LB software responsible for doing it.
> 
> Squid is just the only software which actually tells you up front about
> the issue, instead of leaving other software later on down the transfer
> chain (possibly in somebody elses network) to break with errors like you
> see above.
> 
> Amos
> 
> ___
> squid-users mailing list
> squid-us...@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
>

Set the URI

2015-12-05 Thread Brendan Kearney 
I am trying to use HAProxy to perform http interception and 
transparently proxy outbound http traffic.  i am having a dog of a time 
trying to get this working.  I need to rewrite the GET line on a request 
so that the request is for the absolute URL, and not the relative URI.


i found this article:
http://www.haproxy.com/doc/aloha/7.0/haproxy/http_rewriting.html#rewriting-http-urls

and the "Set the URI" section of that page is exactly what i want to do, 
but i need to do it in the community version of HAProxy, not Aloha.


i cant seem to get the process down on how to capture or extract the 
request URL, and rewrite the GET line to contain that info.  Can someone 
point me in the right direction on what i  need to do?


thanks in advance,

brendan

Re: lua authentication

2015-12-05 Thread thierry . fournier 
Hi,

I complement, I would say, that the Lua bindings for the standard
Openldap client exists, but unfortunately, the operation is blocking,
and doesn't run very well with HAProxy.

It seems that a Lua rewrite of the LDAP protocol using standard Lua
HAProxy socket is a solution, but this is a big development. Maybe a
partial implementation (juste the binding) will be usefull.

Thierry

 

On Fri, 4 Dec 2015 08:35:41 +0100
Baptiste  wrote:

> current Lua implementation already allows asynchronous network sockets.
> Now, what you need to do is to code a basic LDAP auth request in Lua
> and be able to parse the response.
> 
> Baptiste
> 
> 
> 
> On Thu, Dec 3, 2015 at 11:58 PM, Grant Haywood  wrote:
> > Thats exactly what I am wanting to code, I just need an example of how to 
> > do auth, like userlist, inside of lua.
> >
> > - Original Message -
> > From: "Igor Cicimov" 
> > To: "Grant Haywood" 
> > Cc: "HAProxy" 
> > Sent: Thursday, December 3, 2015 3:58:28 PM
> > Subject: Re: lua authentication
> >
> >
> >
> >
> > Hi Grant,
> >
> >
> >
> > On Fri, Dec 4, 2015 at 7:46 AM, Grant Haywood < gr...@iowntheinter.net > 
> > wrote:
> >
> >
> > Hello,
> >
> > I was wondering if there is a basic example of using lua to do 
> > authentication?
> >
> > I am specificaly interested in constructing 'ldap' and 'jwt' versions of 
> > the 'userlist' block
> >
> > thx in advance for your time
> >
> >
> >
> > Excellent question. One feature I would love to see in haproxy is support 
> > for ldap authentication. It would be awesome If that could be done via lua.
> >
> >
> > Thanks,
> >
> > Igor
> >
>

Re: lua authentication

2015-12-05 Thread Grant Haywood 
I found a pretty good starting point

https://github.com/morganfainberg/HAProxyKeystoneMiddlware

if i do anything with ldap ill post it...

- Original Message -
From: "Grant Haywood" 
To: "thierry fournier" 
Cc: "Igor Cicimov" , "HAProxy" 
, "Baptiste" 
Sent: Saturday, December 5, 2015 6:48:52 PM
Subject: Re: lua authentication

I see.
Still, is there an example of authenticating an Http connection in lua?
 
im fairly certan i can do a JWT implementation

and for LDAP, it may still easyer to proxy a simple (non-ldap) message over a 
socket, and write a bridge to ldap daemon in something thats not lua. (use at 
your own risk/understanding/vetting)

kind of like this https://doc.powerdns.com/md/authoritative/backend-pipe/
(i know thats not for auth, but same concept)

- Original Message -
From: "thierry fournier" 
To: "Baptiste" 
Cc: "Grant Haywood" , "Igor Cicimov" 
, "HAProxy" 
Sent: Saturday, December 5, 2015 3:36:32 PM
Subject: Re: lua authentication

Hi,

I complement, I would say, that the Lua bindings for the standard
Openldap client exists, but unfortunately, the operation is blocking,
and doesn't run very well with HAProxy.

It seems that a Lua rewrite of the LDAP protocol using standard Lua
HAProxy socket is a solution, but this is a big development. Maybe a
partial implementation (juste the binding) will be usefull.

Thierry

 

On Fri, 4 Dec 2015 08:35:41 +0100
Baptiste  wrote:

> current Lua implementation already allows asynchronous network sockets.
> Now, what you need to do is to code a basic LDAP auth request in Lua
> and be able to parse the response.
> 
> Baptiste
> 
> 
> 
> On Thu, Dec 3, 2015 at 11:58 PM, Grant Haywood  wrote:
> > Thats exactly what I am wanting to code, I just need an example of how to 
> > do auth, like userlist, inside of lua.
> >
> > - Original Message -
> > From: "Igor Cicimov" 
> > To: "Grant Haywood" 
> > Cc: "HAProxy" 
> > Sent: Thursday, December 3, 2015 3:58:28 PM
> > Subject: Re: lua authentication
> >
> >
> >
> >
> > Hi Grant,
> >
> >
> >
> > On Fri, Dec 4, 2015 at 7:46 AM, Grant Haywood < gr...@iowntheinter.net > 
> > wrote:
> >
> >
> > Hello,
> >
> > I was wondering if there is a basic example of using lua to do 
> > authentication?
> >
> > I am specificaly interested in constructing 'ldap' and 'jwt' versions of 
> > the 'userlist' block
> >
> > thx in advance for your time
> >
> >
> >
> > Excellent question. One feature I would love to see in haproxy is support 
> > for ldap authentication. It would be awesome If that could be done via lua.
> >
> >
> > Thanks,
> >
> > Igor
> >
>

Re: lua authentication

2015-12-05 Thread Grant Haywood 
I see.
Still, is there an example of authenticating an Http connection in lua?
 
im fairly certan i can do a JWT implementation

and for LDAP, it may still easyer to proxy a simple (non-ldap) message over a 
socket, and write a bridge to ldap daemon in something thats not lua. (use at 
your own risk/understanding/vetting)

kind of like this https://doc.powerdns.com/md/authoritative/backend-pipe/
(i know thats not for auth, but same concept)

- Original Message -
From: "thierry fournier" 
To: "Baptiste" 
Cc: "Grant Haywood" , "Igor Cicimov" 
, "HAProxy" 
Sent: Saturday, December 5, 2015 3:36:32 PM
Subject: Re: lua authentication

Hi,

I complement, I would say, that the Lua bindings for the standard
Openldap client exists, but unfortunately, the operation is blocking,
and doesn't run very well with HAProxy.

It seems that a Lua rewrite of the LDAP protocol using standard Lua
HAProxy socket is a solution, but this is a big development. Maybe a
partial implementation (juste the binding) will be usefull.

Thierry

 

On Fri, 4 Dec 2015 08:35:41 +0100
Baptiste  wrote:

> current Lua implementation already allows asynchronous network sockets.
> Now, what you need to do is to code a basic LDAP auth request in Lua
> and be able to parse the response.
> 
> Baptiste
> 
> 
> 
> On Thu, Dec 3, 2015 at 11:58 PM, Grant Haywood  wrote:
> > Thats exactly what I am wanting to code, I just need an example of how to 
> > do auth, like userlist, inside of lua.
> >
> > - Original Message -
> > From: "Igor Cicimov" 
> > To: "Grant Haywood" 
> > Cc: "HAProxy" 
> > Sent: Thursday, December 3, 2015 3:58:28 PM
> > Subject: Re: lua authentication
> >
> >
> >
> >
> > Hi Grant,
> >
> >
> >
> > On Fri, Dec 4, 2015 at 7:46 AM, Grant Haywood < gr...@iowntheinter.net > 
> > wrote:
> >
> >
> > Hello,
> >
> > I was wondering if there is a basic example of using lua to do 
> > authentication?
> >
> > I am specificaly interested in constructing 'ldap' and 'jwt' versions of 
> > the 'userlist' block
> >
> > thx in advance for your time
> >
> >
> >
> > Excellent question. One feature I would love to see in haproxy is support 
> > for ldap authentication. It would be awesome If that could be done via lua.
> >
> >
> > Thanks,
> >
> > Igor
> >
>