Re: Two way authentication issue

[Keresztes Péter-Zoltán]

Hello

Basically what I need is when I browse /service/ws to use client certificate 
authentication otherwise for everything else to use normal ssl termination
This configuration was validated by haproxy and it told that it was correct and 
it works but not with Firefox and google chrome.

Please help me with some suggestion cause I really need to make this work

Regards
Peter
> On 24 Aug 2017, at 19:18, Yann Cézard <ycez...@viareport.com> wrote:
> 
> Hi Peter,
> 
> There are several things which looks really wrong in your config.
> 
> Are you sure this configuration is validated by haproxy ? Or did you only 
> reload
> and it in facts still uses the old conf ?
> 
> On 24/08/2017 15:48, Keresztes Péter-Zoltán wrote:
>> Hello,
>> 
>> Sorry I was confused about what the client wanted. First I thought hat they 
>> want to talk ssl with the backend but they actually want a client 
>> certificate authentication. I have modified my haproxy.cfg with the 
>> following configurations:
>> 
>> [...]
>> frontend  http-in
>> bind 10.0.0.2:80
>> redirect scheme https code 301 if !{ ssl_fc }
>> frontend  https-in
>> bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt
>> mode http
> That part looks wrong :
>> acl client_ssl path_beg /service/ws 
>> redirect location https://10.0.0.2/service/ws 
>> <https://10.0.0.2/service/ws> if client_ssl
> It looks like a redirect loop to me.
Probably but I couldn’t think at anything else on how to force the haproxy to 
use the client certificate when that path is used.

>> default_backend idfusion_all
>> frontend apidev
>> bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt ca-file 
>> /etc/ssl/certs/ca-certificates.crt verify required
> => you defined two times the same ip:port, how HAProxy is supposed to know 
> which one the user is asking for ?
> I would be surprised if it doesn't throw an error with such a configuration.
Don’t know if this supposed to work or not but it’s actually working

>> [...]
>> 
>> This configuration is working on some browsers like safari but it does not 
>> work with Firefox or chrome since I am having 
>> SSL_ERROR_HANDSHAKE_FAILURE_ALERT 
>> 
>> Any idea how to fix it?
> You didn't explain what you wanted to achieve, but my guess is that you want 
> clients
> to be cert authenticated/validated to access the /service/ws path, and you 
> don't care for other
> paths if the client are cert validated or not (you just want to have HTTPS).
> In that case, look at 
> https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/
>  
> <https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/>
> (Phase 2: Client Certificate optional)
> => use "verify optional"
> => ensure { ssl_fc_has_crt } if accessing /service/ws 
> 
> Hope this helps,
> 
> Yann
>> 
>> Regards,
>> Peter
>> 
>>> On 23 Aug 2017, at 10:42, Yann Cézard <ycez...@viareport.com 
>>> <mailto:ycez...@viareport.com>> wrote:
>>> 
>>> Hi Peter,
>>> 
>>> On 23/08/2017 00:48, Keresztes Péter-Zoltán wrote:
>>>> Hello,
>>>> 
>>>> I am trying to setup haproxy with two way authentication. While the 
>>>> frontend looks good one of the backends is giving me headaches with ssl 
>>>> handshake failures.
>>>> 
>>>> Here is how the frontends and backends does look like:
>>>> 
>>>> frontend  http-in
>>>> bind 69.64.57.197:80
>>>> redirect scheme https code 301 if !{ ssl_fc }
>>>> 
>>>> frontend  https-in
>>>> bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt
>>>> mode http
>>>> acl client_ssl path_beg /service/ws
>>>> use_backend test_client_ssl if client_ssl
>>>> default_backend test_all
>>>> 
>>>> backend test_all
>>>> modehttp
>>>> balance leastconn
>>>> timeout connect 1s
>>>> timeout server  300s
>>>> timeout queue   30s
>>>> option redispatch
>>>> retries 3
>>>> cookie rc_cookie_vers insert indirect nocache secure
>>>> server usloft4778 192.168.0.1:8080 cookie rc_cookie_vers check 
>>>> inter 1000 fastinter 500 rise 2 fall 1
>>>> server loft10179 192.168.0.2:8080 cookie rc_cookie_vers check 
>>>> inter 1000 fastinter 500 rise 2 fall 1
>>>> 
>&g

Re: Two way authentication issue

[Keresztes Péter-Zoltán]

Hello,

Sorry I was confused about what the client wanted. First I thought hat they 
want to talk ssl with the backend but they actually want a client certificate 
authentication. I have modified my haproxy.cfg with the following 
configurations:

log /dev/loglocal0
log 127.0.0.1 local2
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 600 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 2
#Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
defaults
log global
modehttp
option forwardfor
option http-server-close
option  httplog
option  dontlognull
timeout connect 5000ms
timeout client 300s
timeout server 300s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
stats enable
stats hide-version
#stats scope .
stats uri   /admin?stats
stats realm Haproxy\ Statistics
stats auth  admin:K1l1m4ndj4r0
stats refresh   5s
frontend  http-in
bind 10.0.0.2:80
redirect scheme https code 301 if !{ ssl_fc }
frontend  https-in
bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt
mode http
acl client_ssl path_beg /service/ws 
redirect location https://10.0.0.2/service/ws if client_ssl
default_backend idfusion_all
frontend apidev
bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt ca-file 
/etc/ssl/certs/ca-certificates.crt verify required
mode http
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
acl client_ssl path_beg /service/ws
redirect location https://10.0.0.2/ if !client_ssl
default_backend idfusion_all
option forwardfor
backend idfusion_all
modehttp
balance leastconn
timeout connect 1s
timeout server  300s
timeout queue   30s
option redispatch
retries 3
cookie rc_cookie_vers insert indirect nocache secure
server usloft4778 192.168.0.1:8080 cookie rc_cookie_vers check inter 
1000 fastinter 500 rise 2 fall 1
server loft10179 192.168.0.1:8080 cookie rc_cookie_vers check inter 
1000 fastinter 500 rise 2 fall 1

This configuration is working on some browsers like safari but it does not work 
with Firefox or chrome since I am having SSL_ERROR_HANDSHAKE_FAILURE_ALERT 

Any idea how to fix it?

Regards,
Peter

> On 23 Aug 2017, at 10:42, Yann Cézard <ycez...@viareport.com> wrote:
> 
> Hi Peter,
> 
> On 23/08/2017 00:48, Keresztes Péter-Zoltán wrote:
>> Hello,
>> 
>> I am trying to setup haproxy with two way authentication. While the frontend 
>> looks good one of the backends is giving me headaches with ssl handshake 
>> failures.
>> 
>> Here is how the frontends and backends does look like:
>> 
>> frontend  http-in
>> bind 69.64.57.197:80
>> redirect scheme https code 301 if !{ ssl_fc }
>> 
>> frontend  https-in
>> bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt
>> mode http
>> acl client_ssl path_beg /service/ws
>> use_backend test_client_ssl if client_ssl
>> default_backend test_all
>> 
>> backend test_all
>> modehttp
>> balance leastconn
>> timeout connect 1s
>> timeout server  300s
>> timeout queue   30s
>> option redispatch
>> retries 3
>> cookie rc_cookie_vers insert indirect nocache secure
>> server usloft4778 192.168.0.1:8080 cookie rc_cookie_vers check inter 
>> 1000 fastinter 500 rise 2 fall 1
>> server loft10179 192.168.0.2:8080 cookie rc_cookie_vers check inter 
>> 1000 fastinter 500 rise 2 fall 1
>> 
>> backend test_client_ssl
>> modehttp
>> balance leastconn
>> timeout connect 1s
>> timeout server  300s
>> timeout queue   30s
>> option httpchk GET "/service/ws" "HTTP/1.0"
>> cookie rc_cookie_vers insert indirect nocache secure
>>  server usloft4778 192.168.0.1:8080 ssl verify required ca-file 
>> /etc/ssl/certs/ca_full.crt crt /etc/ssl/certs/client.crt
>>  server loft10179 192.168.0.2:8080 ssl verify required ca-file 
>> /etc/ssl/certs/ca_full.crt crt /etc/ssl/certs/client.crt
> You are using the same server:port for both HTTP an

Two way authentication issue

[Keresztes Péter-Zoltán]

Hello, 

I am trying to setup haproxy with two way authentication. While the frontend 
looks good one of the backends is giving me headaches with ssl handshake 
failures.

Here is how the frontends and backends does look like:

frontend  http-in
bind 69.64.57.197:80
redirect scheme https code 301 if !{ ssl_fc }

frontend  https-in
bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt
mode http
acl client_ssl path_beg /service/ws 
use_backend test_client_ssl if client_ssl
default_backend test_all

backend test_all
modehttp
balance leastconn
timeout connect 1s
timeout server  300s
timeout queue   30s
option redispatch
retries 3
cookie rc_cookie_vers insert indirect nocache secure
server usloft4778 192.168.0.1:8080 cookie rc_cookie_vers check inter 
1000 fastinter 500 rise 2 fall 1
server loft10179 192.168.0.2:8080 cookie rc_cookie_vers check inter 
1000 fastinter 500 rise 2 fall 1

backend test_client_ssl
modehttp
balance leastconn
timeout connect 1s
timeout server  300s
timeout queue   30s
option httpchk GET "/service/ws" "HTTP/1.0"
cookie rc_cookie_vers insert indirect nocache secure
server usloft4778 192.168.0.1:8080 ssl verify required ca-file 
/etc/ssl/certs/ca_full.crt crt /etc/ssl/certs/client.crt 
server loft10179 192.168.0.2:8080 ssl verify required ca-file 
/etc/ssl/certs/ca_full.crt crt /etc/ssl/certs/client.crt

Any suggestion to make this work?

Thanks in advance
Peter