@j_bourdeau wrote:
Hi,
During the week-end, I re-configured the HAProxy module in my pfSense firewall. HAProxy is version 1.7.11 and pfSense is 2.4.3. The idea is this :
A first frontend, SSL Mux, is listening the WAN IP ; TCP 443 and is sorting the sockets according to the CN of the certificate the client is looking for. According to the name, HAProxy uses a backend that loop to a specific frontend offering the service the client is looking for. All of the sorting is done using complete DNS names as expected from the clients.
One of this frontend is an SSL accelerator. Another one is a reverse proxy enforcing authentication with client certificates. I also have a pseudo STunnel server. For now, I would like to focus on the SSL accelerator.
I have 2 certificates from Let’s Encrypt, one with an RSA key and a complete CN and one as a wildcard and ECDSA. I also have a local CA in my pfSense which I used to produce home-made certificates (RSA and complete CN).
If I configure HAProxy to use the Let’s Encrypt certificate with a complete name and home-made certificates also with complete names, HAProxy does as expected. Everything is routed properly and clients are presented with the proper certificate and services.
If I try to use the wildcard certificate, either as the “main” certificate for the SSL Accelerator frontend or as an extra certificate for it, HAProxy refuses to use it. The clients are never presented the wildcard certificates and the access fails. Config No2 pasted below shows an example of one of these non-working configs. ServerA is stil working but ServerB is unaccessible.
I reviewed the difference between the configs but I have not been able to identify how / why HAProxy does not recognize the wildcard certificate as usable for the access. I think the problem is around ACLs (HAProxy thinks the name must be .*.domain.com instead of *.domain.com and / or is looking for an actual * instead of considering it as a wildcard) but I failed to manually create the extra ACL HAProxy would need to handle the wildcard certificate properly. I also tried to define the ACL as “contains .domain.com” as well as “ends by .domain.com” without any success.
Any idea on that ?
I tried to post my entire config but the stupid forum engine thinks that the dns names / IPs in the config are links and so refuse to let me post it…
Thanks in advance,
Hercales
±±+ Extract from working config±±±±+
acl aclcrt_SSL_Accelerator var(txn.txnhost) -m reg -i ^serverA.domain.com(:([0-9]){1,5})? acl aclcrt_SSL_Accelerator var(txn.txnhost) -m reg -i ^serverB\.domain\.com(:([0-9]){1,5})?±±±+ Extract from non-working config ±±±±+
acl aclcrt_SSL_Accelerator var(txn.txnhost) -m reg -i ^serverA.domain.com(:([0-9]){1,5})? acl aclcrt_SSL_Accelerator var(txn.txnhost) -m reg -i ^([^\.]*)\.domain\.com(:([0-9]){1,5})?
Posts: 2
Participants: 2