Re: Two way authentication issue
Hello Basically what I need is when I browse /service/ws to use client certificate authentication otherwise for everything else to use normal ssl termination This configuration was validated by haproxy and it told that it was correct and it works but not with Firefox and google chrome. Please help me with some suggestion cause I really need to make this work Regards Peter > On 24 Aug 2017, at 19:18, Yann Cézard <ycez...@viareport.com> wrote: > > Hi Peter, > > There are several things which looks really wrong in your config. > > Are you sure this configuration is validated by haproxy ? Or did you only > reload > and it in facts still uses the old conf ? > > On 24/08/2017 15:48, Keresztes Péter-Zoltán wrote: >> Hello, >> >> Sorry I was confused about what the client wanted. First I thought hat they >> want to talk ssl with the backend but they actually want a client >> certificate authentication. I have modified my haproxy.cfg with the >> following configurations: >> >> [...] >> frontend http-in >> bind 10.0.0.2:80 >> redirect scheme https code 301 if !{ ssl_fc } >> frontend https-in >> bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt >> mode http > That part looks wrong : >> acl client_ssl path_beg /service/ws >> redirect location https://10.0.0.2/service/ws >> <https://10.0.0.2/service/ws> if client_ssl > It looks like a redirect loop to me. Probably but I couldn’t think at anything else on how to force the haproxy to use the client certificate when that path is used. >> default_backend idfusion_all >> frontend apidev >> bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt ca-file >> /etc/ssl/certs/ca-certificates.crt verify required > => you defined two times the same ip:port, how HAProxy is supposed to know > which one the user is asking for ? > I would be surprised if it doesn't throw an error with such a configuration. Don’t know if this supposed to work or not but it’s actually working >> [...] >> >> This configuration is working on some browsers like safari but it does not >> work with Firefox or chrome since I am having >> SSL_ERROR_HANDSHAKE_FAILURE_ALERT >> >> Any idea how to fix it? > You didn't explain what you wanted to achieve, but my guess is that you want > clients > to be cert authenticated/validated to access the /service/ws path, and you > don't care for other > paths if the client are cert validated or not (you just want to have HTTPS). > In that case, look at > https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/ > > <https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/> > (Phase 2: Client Certificate optional) > => use "verify optional" > => ensure { ssl_fc_has_crt } if accessing /service/ws > > Hope this helps, > > Yann >> >> Regards, >> Peter >> >>> On 23 Aug 2017, at 10:42, Yann Cézard <ycez...@viareport.com >>> <mailto:ycez...@viareport.com>> wrote: >>> >>> Hi Peter, >>> >>> On 23/08/2017 00:48, Keresztes Péter-Zoltán wrote: >>>> Hello, >>>> >>>> I am trying to setup haproxy with two way authentication. While the >>>> frontend looks good one of the backends is giving me headaches with ssl >>>> handshake failures. >>>> >>>> Here is how the frontends and backends does look like: >>>> >>>> frontend http-in >>>> bind 69.64.57.197:80 >>>> redirect scheme https code 301 if !{ ssl_fc } >>>> >>>> frontend https-in >>>> bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt >>>> mode http >>>> acl client_ssl path_beg /service/ws >>>> use_backend test_client_ssl if client_ssl >>>> default_backend test_all >>>> >>>> backend test_all >>>> modehttp >>>> balance leastconn >>>> timeout connect 1s >>>> timeout server 300s >>>> timeout queue 30s >>>> option redispatch >>>> retries 3 >>>> cookie rc_cookie_vers insert indirect nocache secure >>>> server usloft4778 192.168.0.1:8080 cookie rc_cookie_vers check >>>> inter 1000 fastinter 500 rise 2 fall 1 >>>> server loft10179 192.168.0.2:8080 cookie rc_cookie_vers check >>>> inter 1000 fastinter 500 rise 2 fall 1 >>>> >&g
Re: Two way authentication issue
Hello, Sorry I was confused about what the client wanted. First I thought hat they want to talk ssl with the backend but they actually want a client certificate authentication. I have modified my haproxy.cfg with the following configurations: log /dev/loglocal0 log 127.0.0.1 local2 chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 600 level admin stats timeout 30s user haproxy group haproxy daemon maxconn 2 #Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 tune.ssl.default-dh-param 2048 defaults log global modehttp option forwardfor option http-server-close option httplog option dontlognull timeout connect 5000ms timeout client 300s timeout server 300s errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http stats enable stats hide-version #stats scope . stats uri /admin?stats stats realm Haproxy\ Statistics stats auth admin:K1l1m4ndj4r0 stats refresh 5s frontend http-in bind 10.0.0.2:80 redirect scheme https code 301 if !{ ssl_fc } frontend https-in bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt mode http acl client_ssl path_beg /service/ws redirect location https://10.0.0.2/service/ws if client_ssl default_backend idfusion_all frontend apidev bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt ca-file /etc/ssl/certs/ca-certificates.crt verify required mode http reqadd X-Forwarded-Proto:\ https if { ssl_fc } acl client_ssl path_beg /service/ws redirect location https://10.0.0.2/ if !client_ssl default_backend idfusion_all option forwardfor backend idfusion_all modehttp balance leastconn timeout connect 1s timeout server 300s timeout queue 30s option redispatch retries 3 cookie rc_cookie_vers insert indirect nocache secure server usloft4778 192.168.0.1:8080 cookie rc_cookie_vers check inter 1000 fastinter 500 rise 2 fall 1 server loft10179 192.168.0.1:8080 cookie rc_cookie_vers check inter 1000 fastinter 500 rise 2 fall 1 This configuration is working on some browsers like safari but it does not work with Firefox or chrome since I am having SSL_ERROR_HANDSHAKE_FAILURE_ALERT Any idea how to fix it? Regards, Peter > On 23 Aug 2017, at 10:42, Yann Cézard <ycez...@viareport.com> wrote: > > Hi Peter, > > On 23/08/2017 00:48, Keresztes Péter-Zoltán wrote: >> Hello, >> >> I am trying to setup haproxy with two way authentication. While the frontend >> looks good one of the backends is giving me headaches with ssl handshake >> failures. >> >> Here is how the frontends and backends does look like: >> >> frontend http-in >> bind 69.64.57.197:80 >> redirect scheme https code 301 if !{ ssl_fc } >> >> frontend https-in >> bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt >> mode http >> acl client_ssl path_beg /service/ws >> use_backend test_client_ssl if client_ssl >> default_backend test_all >> >> backend test_all >> modehttp >> balance leastconn >> timeout connect 1s >> timeout server 300s >> timeout queue 30s >> option redispatch >> retries 3 >> cookie rc_cookie_vers insert indirect nocache secure >> server usloft4778 192.168.0.1:8080 cookie rc_cookie_vers check inter >> 1000 fastinter 500 rise 2 fall 1 >> server loft10179 192.168.0.2:8080 cookie rc_cookie_vers check inter >> 1000 fastinter 500 rise 2 fall 1 >> >> backend test_client_ssl >> modehttp >> balance leastconn >> timeout connect 1s >> timeout server 300s >> timeout queue 30s >> option httpchk GET "/service/ws" "HTTP/1.0" >> cookie rc_cookie_vers insert indirect nocache secure >> server usloft4778 192.168.0.1:8080 ssl verify required ca-file >> /etc/ssl/certs/ca_full.crt crt /etc/ssl/certs/client.crt >> server loft10179 192.168.0.2:8080 ssl verify required ca-file >> /etc/ssl/certs/ca_full.crt crt /etc/ssl/certs/client.crt > You are using the same server:port for both HTTP an
Two way authentication issue
Hello, I am trying to setup haproxy with two way authentication. While the frontend looks good one of the backends is giving me headaches with ssl handshake failures. Here is how the frontends and backends does look like: frontend http-in bind 69.64.57.197:80 redirect scheme https code 301 if !{ ssl_fc } frontend https-in bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt mode http acl client_ssl path_beg /service/ws use_backend test_client_ssl if client_ssl default_backend test_all backend test_all modehttp balance leastconn timeout connect 1s timeout server 300s timeout queue 30s option redispatch retries 3 cookie rc_cookie_vers insert indirect nocache secure server usloft4778 192.168.0.1:8080 cookie rc_cookie_vers check inter 1000 fastinter 500 rise 2 fall 1 server loft10179 192.168.0.2:8080 cookie rc_cookie_vers check inter 1000 fastinter 500 rise 2 fall 1 backend test_client_ssl modehttp balance leastconn timeout connect 1s timeout server 300s timeout queue 30s option httpchk GET "/service/ws" "HTTP/1.0" cookie rc_cookie_vers insert indirect nocache secure server usloft4778 192.168.0.1:8080 ssl verify required ca-file /etc/ssl/certs/ca_full.crt crt /etc/ssl/certs/client.crt server loft10179 192.168.0.2:8080 ssl verify required ca-file /etc/ssl/certs/ca_full.crt crt /etc/ssl/certs/client.crt Any suggestion to make this work? Thanks in advance Peter