@macguy.ag wrote:
I’m hoping someone can help me figure this out.
I used to have HAProxy set up such that requests on port 80 would redirect to SSL over port 443, and also explicit requests to SSL over port 8443 would also work. Then my CIO decreed that we were moving to using Let’s Encrypt for our SSL certs. I got that working on my HAProxy server, but now there’s no response when I try to go directly to port 8443.
Here’s my complete HAProxy.cfg file:
Configuration gleaned from both the course manual for the Jamf 350 Server Admin certification course,
from https://arstechnica.com/information-technology/2015/05/web-served-how-to-make-your-site-all-https-all-the-time-for-everyone/,
from https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04,
and from https://gist.github.com/thisismitch/7c91e9b2b63f837a0c4b
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemonDefault SSL material locations
ca-base /etc/ssl/certs crt-base /etc/ssl/privateDefault ciphers to use on SSL-enabled listening sockets.
For more information, see ciphers(1SSL). This list is from:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers TLS+ECDHE+RSA+WITH+AES+256+GCM+SHA384:TLS+ECDHE+ECDSA+WITH+AES+256+GCM+SHA384:TLS+ECDH+RSA+WITH+AES+256+GCM+SHA384:TLS+ECDH+ECDSA+WITH+AES+256+GCM+SHA384:TLS+ECDHE+RSA+WITH+AES+128+GCM+SHA256:TLS+ECDHE+ECDSA+WITH+AES+128+GCM+SHA256:TLS+ECDH+RSA+WITH+AES+128+GCM+SHA256:TLS+ECDH+ECDSA+WITH+AES+128+GCM+SHA256:TLS+ECDHE+RSA+WITH+AES+256+CBC+SHA384:TLS+ECDHE+ECDSA+WITH+AES+256+CBC+SHA384:TLS+ECDHE+RSA+WITH+AES+256+CBC+SHA:TLS+ECDHE+ECDSA+WITH+AES+256+CBC+SHA:TLS+ECDH+RSA+WITH+AES+256+CBC+SHA384:TLS+ECDH+ECDSA+WITH+AES+256+CBC+SHA384:TLS+ECDH+RSA+WITH+AES+256+CBC+SHA:TLS+ECDH+ECDSA+WITH+AES+256+CBC+SHA:TLS+ECDHE+RSA+WITH+AES+128+CBC+SHA256:TLS+ECDHE+ECDSA+WITH+AES+128+CBC+SHA256:TLS+ECDHE+RSA+WITH+AES+128+CBC+SHA:TLS+ECDHE+ECDSA+WITH+AES+128+CBC+SHA:TLS+ECDH+RSA+WITH+AES+128+CBC+SHA256:TLS+ECDH+ECDSA+WITH+AES+128+CBC+SHA256:TLS+ECDH+RSA+WITH+AES+128+CBC+SHA:TLS+ECDH+ECDSA+WITH+AES+128+CBC+SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS ssl-default-bind-options no-sslv3 no-tlsv10Maximum allowed simultaneous connections
maxconn 2048Crypto key size
tune.ssl.default-dh-param 4096defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.httpFrontend definitions
frontend www-http bind *:80 reqadd X-Forwarded-Proto:\ http default_backend tomcats frontend www-https-443 bind *:443 ssl crt /etc/haproxy/certs/server.mycompany.com.pem acl secure dst_port eq 443 http-request replace-header Host ^(.*?)(:[0-9]+)?$ \1:443 reqadd X-Forwarded-Proto:\ https rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure acl letsencrypt-acl path_beg /.well-known/acme-challenge/ use_backend letsencrypt-backend if letsencrypt-acl default_backend tomcats frontend www-https-8443 bind *:8443 ssl crt /etc/haproxy/certs/server.mycompany.com.pem acl secure dst_port eq 8443 http-request replace-header Host ^(.*?)(:[0-9]+)?$ \1:8443 reqadd X-Forwarded-Proto:\ https rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure acl letsencrypt-acl path_beg /.well-known/acme-challenge/ use_backend letsencrypt-backend if letsencrypt-acl default_backend tomcatsBackend definitions
backend tomcats http-request redirect scheme https if !{ ssl_fc } http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } balance roundrobin cookie JSESSIONID prefix nocache server webapp1 xxx.xxx.xxx.xxx:8080 check cookie webapp1 server webapp2 yyy.yyy.yyy.yyy:8080 check cookie webapp2 backend letsencrypt-backend server letsencrypt 127.0.0.1:54321Interestingly, I see no trace of any attempts at communication on port 8443 in my haproxy.log file. I’ll attach that in a reply message if needed.
Posts: 1
Participants: 1