Re: Trying to understand how to do SSL properly.
On 1/29/2023 10:43 PM, Jeremy Hansen wrote: Figured out my issue. I was doing something really stupid. Make sure if you’re using conf.d/, you name your file .cfg instead of .conf. I don't think haproxy does a conf.d setup out of the box. You (or your OS) would have to set that up. Or were you talking about something other than haproxy? backend nodes mode tcp balance roundrobin option ssl-hello-chk server web01 192.168.10.30:443 check If the backend is doing TLS as well, you need "ssl" after the IP:PORT in the server line. If the back end is not expecting the same hostname in the Host header or SNI that the end user inputs, you'd probably have to change that before it gets to the backend. Changing the host header would not be hard, but I have no idea whether that would also change SNI. Thanks, Shawn
Re: Trying to understand how to do SSL properly.
Figured out my issue. I was doing something really stupid. Make sure if you’re using conf.d/, you name your file .cfg instead of .conf. All is well. -jeremy > On Sunday, Jan 29, 2023 at 9:26 PM, Me (mailto:jer...@skidrow.la)> wrote: > Scenario is a firewall host running HAProxy trying to map to an internal web > server. The web server is configured for SSL with a Let’s Encrypt certificate > using the external name with a DNS entry pointing to the routable IP of the > firewall/HAProxy host. Internal name for the website is different than the > external name. I’m either trying to do passthrough SSL via HAProxy or > whatever makes more sense. > > WORLD -> SSL -> (www.website.com on routable IP) HAProxy -> (web.stuff.intra > on internal IP) internal host > > I’m sure this is probably the scenario a million people use but after trying > very many examples from searches, I’m still unable to get this to function > properly. > > Example configuration: > > frontend localhost > bind 66.66.66.66:443 > option tcplog > mode tcp > default_backend nodes > > backend nodes > mode tcp > balance roundrobin > option ssl-hello-chk > server web01 192.168.10.30:443 check > > > Basically lifted from > https://serversforhackers.com/c/using-ssl-certificates-with-haproxy > > I’m very new to HAProxy and while I’ve heard of it for years, I never got > around to playing with it. > > Basically the results of this config tell me the site is unreachable. I’m not > sure exactly how to debug to figure out where the breakdown is. > > Any tips is much appreciated. > > -jeremy > > > > signature.asc Description: PGP signature
Trying to understand how to do SSL properly.
Scenario is a firewall host running HAProxy trying to map to an internal web server. The web server is configured for SSL with a Let’s Encrypt certificate using the external name with a DNS entry pointing to the routable IP of the firewall/HAProxy host. Internal name for the website is different than the external name. I’m either trying to do passthrough SSL via HAProxy or whatever makes more sense. WORLD -> SSL -> (www.website.com on routable IP) HAProxy -> (web.stuff.intra on internal IP) internal host I’m sure this is probably the scenario a million people use but after trying very many examples from searches, I’m still unable to get this to function properly. Example configuration: frontend localhost bind 66.66.66.66:443 option tcplog mode tcp default_backend nodes backend nodes mode tcp balance roundrobin option ssl-hello-chk server web01 192.168.10.30:443 check Basically lifted from https://serversforhackers.com/c/using-ssl-certificates-with-haproxy I’m very new to HAProxy and while I’ve heard of it for years, I never got around to playing with it. Basically the results of this config tell me the site is unreachable. I’m not sure exactly how to debug to figure out where the breakdown is. Any tips is much appreciated. -jeremy signature.asc Description: PGP signature