Quantcast
Channel: HAProxy community - Latest topics
Viewing all articles
Browse latest Browse all 4740

Keepass Sync with WebDAV server results in Bad Gateway 502 when using HAProxy

$
0
0

Hi,

I’m currently facing an annoying issue with HAproxy and my (Synology) WebDAV server, running behind a linux firewall (IPFire).

I’m using Keepass (latest version) on Win10 Pro. Keepass successfully loads a file from my internal WebDAV server w/o any issues, accessing the file with https://webdav.mydomain.de/webdav/pw.kdbx. This traffic is passing the firewall with a running HAProxy service just fine.

keepass -> www -> firewall with haproxy -> LAN -> WebDav (Port 5005)

However, when saving any modification in this password file to the WebDAV again, this results in a bad gateway 502 error.

I noticed that Keepass first successfully creates a temporary file and when trying to move this temp file to the original one, this finally results in the 502 error.

As you will probably notice above, I access the file in question with https and my WebDAV server is running on port 80. SSL termination is done by HAProxy using a LE cert.

At the time of this error, the haproxy log file reads, pls. see last line.

Jun 19 14:49:30 localhost haproxy[25037]: 123.456.78.90:54146 [19/Jun/2020:14:49:30.427] http_https~ webdav_server/webdav01 0/0/1/1/2 401 612 - - --NI 1/1/0/0/0 0/0 {webdav.mydomain.de|} "GET /webdav/pw.kdbx HTTP/1.1"
Jun 19 14:49:32 localhost haproxy[25037]: 123.456.78.90:54146 [19/Jun/2020:14:49:30.441] http_https~ webdav_server/webdav01 1/0/0/825/1883 200 3336890 - - --NI 1/1/0/0/0 0/0 {webdav.mydomain.de|} "GET /webdav/pw.kdbx HTTP/1.1"
Jun 19 14:49:39 localhost haproxy[25037]: 123.456.78.90:54146 [19/Jun/2020:14:49:38.485] http_https~ webdav_server/webdav01 0/0/1/628/1430 200 3336890 - - --NI 1/1/0/0/0 0/0 {webdav.mydomain.de|} "GET /webdav/pw.kdbx HTTP/1.1"
Jun 19 14:49:42 localhost haproxy[25037]: 123.456.78.90:54146 [19/Jun/2020:14:49:41.381] http_https~ webdav_server/webdav01 0/0/1/1365/1366 201 438 - - --NI 1/1/0/0/0 0/0 {webdav.mydomain.de|} "PUT /webdav/pw.kdbx.tmp HTTP/1.1"
Jun 19 14:49:43 localhost haproxy[25037]: 123.456.78.90:54146 [19/Jun/2020:14:49:42.757] http_https~ webdav_server/webdav01 0/0/1/669/686 200 290052 - - CDNI 1/1/0/0/0 0/0 {webdav.mydomain.de|} "GET /webdav/pw.kdbx HTTP/1.1"
Jun 19 14:49:44 localhost haproxy[25037]: 123.456.78.90:54166 [19/Jun/2020:14:49:43.523] http_https~ webdav_server/webdav01 0/0/1/727/728 204 129 - - --NI 1/1/0/0/0 0/0 {webdav.mydomain.de|} "DELETE /webdav/pw.kdbx HTTP/1.1"
Jun 19 14:49:44 localhost haproxy[25037]: 123.456.78.90:54166 [19/Jun/2020:14:49:44.259] http_https~ webdav_server/webdav01 1/0/0/676/677 502 406 - - --NI 1/1/0/0/0 0/0 {webdav.mydomain.de|} "MOVE /webdav/pw.kdbx.tmp HTTP/1.1"

What’s interesting: when using the same https URL from within a Android tablet, using one of the abvailable file explorers that is capable of the WebDAV protocol, all is fine! Which means, I can download any file from the server, create, delete any files and folders w/o any issues.

IMO, the WebDAV server is not the cause if this problem. Maybe HAProxy or maybe Keepass at the end.

I’ve done a further test: I’ve created a port forwarding in the firewall to let Keepass reach the WebDAV server in LAN without passing HAProxy, using the URL http://123.456.78.90/webdav/pw.kdbx to access the file. Guess what? Keepass successfully saved the modified file without any error.

I found out alread when removing those lines from config file

http-request set-header X-Forwarded-Proto https 
redirect scheme https code 301 if !{ ssl_fc }

Keepass works as expected. Of course I’m now using the http protocol instead of desired https.

Now I’m clueless! Any hints on how to get rid of this problem, is highly appreciated!

Below is my current haproxy.cfg

cu,
Michael

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    log         127.0.0.1 local1
        
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        nobody
    group       nobody
    daemon
    
    tune.ssl.default-dh-param 2048
    #tune.maxrewrite 4096
    #tune.http.maxhdr 202

    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    
    ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option                  http-server-close
    option                  forwardfor except 127.0.0.0/8
    option                  redispatch except 172.0.0.0/8 
    retries                 3
    timeout http-request    30s
    timeout queue           1m
    timeout connect         30s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 30s
    timeout check           30s
    maxconn                 3000
 
#---------------------------------------------------------------------
# Frontend Configuration
#---------------------------------------------------------------------
frontend http_https
    bind 172.17.0.2:80
    
    #Add available LE certs 
    bind 172.17.0.2:443 ssl crt /etc/haproxy/certs/webdav.mydomain.de.pem 

    mode http
    
    #---------------------
    #HAProxy handles SSL
    #---------------------
    #X-Forwarded-Proto for SSL offloading - needed for 
    http-request set-header X-Forwarded-Proto https
    redirect scheme https code 301 if !{ ssl_fc }

    #Logging
    capture request header host len 40
    capture request header cookie len 20
    
    #Default log format, unchanged
    log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
        
	       
    http-response set-header Strict-Transport-Security max-age=31536000
	
    # X-Content-Type-Options
    http-response set-header X-Content-Type-Options nosniff
	
    # X-Xss-Protection (for Chrome, Safari, IE)
    http-response set-header X-Xss-Protection 1;\ mode=block
	
    # X-Frame-Options (DENY or SELF)
    http-response set-header X-Frame-Options DENY
	
    # X-Robots-Tag to not index our site
    http-response set-header X-Robots-Tag none
	
    # Delete Server Header
    http-response del-header Server
	
    #Instruct clients to not sniff for Content-Type   
    http-response set-header X-Content-Type-Options: nosniff
	
    #Leaving HTTPS to HTTP page permit sniffing to find out actual HTTPS URLs
    http-response set-header Referrer-Policy no-referrer-when-downgrade


#---------------------------------------------------------------------
#Backend Configuration
#---------------------------------------------------------------------
    acl is_webdav_domain hdr_beg(host) -i webdav.mydomain.de
    
    #----WEBDAV----
    acl is_webdav_path path -i /webdav/
	
    http-request set-path /webdav%[path] if is_webdav_domain !is_webdav_path
    use_backend webdav_server if is_webdav_domain
      
    #default
    default_backend no_match

	  
#---------------------------------------------------------------------
# Backend WEBDAV
#---------------------------------------------------------------------
backend webdav_server
    balance leastconn
    cookie WEBDAVSERVER insert indirect nocache
    http-check disable-on-404
    http-check expect status 401
    option httpchk GET /webdav

    server webdav01 192.168.6.96:5005 cookie webdav01 inter 60s
	
#---------------------------------------------------------------------
# Backend: No Match
#---------------------------------------------------------------------
backend no_match
   http-request deny deny_status 400

1 post - 1 participant

Read full topic


Viewing all articles
Browse latest Browse all 4740

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>