Hello,
over at the OPNsense forum I created a widely used tutorial for configuring HAProxy with Let’s Encrypt on OPNsense. To me this setup can always be improved. This is way I am coming here for advise.
Current setup
Only TCP port 80 and 443 are exposed to the WAN.
The SNI_frontend defaults to redirecting traffic using an address on the localhost to the HTTP_frontend and HTTPS_frontend.
This is so I can also have TCP based services like OpenVPN exposed using port 443.
All of the above is currently working just fine.
The HTTPS_frontend is currently defaulting to the SUSPICIOUS_SNI_backend with only a http-request silent-drop rule on it, that will take action if no matching SNI record can be found in a mapfile or rule.
While this is also working fine it still presents the user with “Error: Secure connection failed”.
Setting this http-request silent-drop directly on the SNI_frontend works as intended and the connection times out.
What is the goal?
In short I would like to perform the SNI check directly on the SNI_frontend.
- HAProxy should verifiy the FQDN that is beeing accessed against a mapfile.
- The mapfile contains only the valid FQDNs redirecting them all to the SSL_backend.
- If no matching FQDN can be found the
http-request silent-dropshould take action.
Attempted config
The below config is working fine for HTTP traffic.
Valid FQDNs accessing the SNI_frontend using HTTP get redirected to the HTTP_frontend via the SSL_backend and from there redirected to HTTPS_frontend.
Invalid/Unknown FQDNs receive the http-request silent-drop.
However the below config is not working at all for HTTPS traffic. No matter if the FQDN is valid or not.
HTTPS traffic is always presented with “Error: Secure connection failed”.
The log indicates that the traffic gets stuck at the SNI_frontend.
The HTTPS_frontend gets no hits whatsoever.
I hope someone can point me in the right direction.
Thank you very much!
TheHellSite
1 post - 1 participant