I’ve long struggled getting HAProxy to offload the certificate of a server; ADFS. HAProxy makes an encrypted connection of its own to ADFS, then it’s supposed to switch the certificate with something matching from the specified ones but what it actually happens is that the original(…origin?) certificate makes it through all the way to the client.
Because of the server in question, I assume some sort of heightened security (end-to-end or something) is specified in it which HAProxy obeys thus it doesn’t change the cert. I discovered I could work around this by adding NAT in front of ADFS or mapping ADFS to a virtual IP address —i.e; fancier NAT— so when things were working again I moved on.
While testing one of these apps that will only will let you do certificates from HTTP-01 ACME Let’sEncrypt. No problem, I thought, I’ll just disguise it with HAProxy; it’s already in front of every server even on the intranet. When I did though, Firefox showed me the unknown CA warning. On the details of the cert I saw that it was the same certificate from the server. The backend server I believe is using NGINX as a reverse proxy.
It’s setup to terminate the connection (TLS offloading). It passes through the SNI frontend first, but all TLS connections do;
Is there something I could do to force HAProxy to terminate the connection so the certificate is switched?
Thanks!
Configuration file sections (click for more details)I added the actual configuration of only the related frontends and backends. I also removed the irrelevant keywords from it because it still was way too long.
1 post - 1 participant