Ssl certificate verify on specific domain with SNI

@skasch wrote:

Hi,

i am on haproxy 1.7.5 (debian) and try to setup what is mentioned here:
"how-to-set-ssl-verify-client-for-specific-domain-name"
my haproxy is located behind a firewall and requests are NATed

i’d like to have some users that are not in the networks_allowed list, to present a certificate.
others should be routed without certificate.

but on loading the page, firefox complains about SSL_ERROR_RX_RECORD_TOO_LONG
and the logs show:

x.x.x.x:50741 [04/Oct/2017:14:32:17.145] https_tcp_443 https_tcp_443/ -1/-1/0 188 PR 0/0/0/0/0 0/0
x.x.x.x:50740 [04/Oct/2017:14:32:17.146] https_tcp_443 https_tcp_443/ -1/-1/0 188 PR 0/0/0/0/0 0/0
x.x.x.x:50743 [04/Oct/2017:14:32:19.704] https_tcp_443 https_tcp_443/ -1/-1/0 188 PR 0/0/0/0/0 0/0

which looks like some backend is not found or a condition not met…

my config is as follows:

global
  log 127.0.0.1:514 local0 info
  chroot /var/lib/haproxy
  user haproxy
  group haproxy
  daemon
  maxconn 2048
  tune.ssl.default-dh-param 2048
  ssl-dh-param-file /etc/haproxy/dhparams.pem

  ca-base /etc/ssl/certs
  crt-base /etc/ssl/private
  ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-default-bind-options no-sslv3 no-tls-tickets
  ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-default-server-options no-sslv3 no-tls-tickets

defaults
  log global
  mode http
  balance roundrobin
  option httplog
  option dontlognull
  option forwardfor
  option http-server-close
  timeout connect 5000
  timeout client  50000
  timeout server  50000
  errorfile 400 /etc/haproxy/errors/400.http
  errorfile 403 /etc/haproxy/errors/403.http
  errorfile 408 /etc/haproxy/errors/408.http
  errorfile 500 /etc/haproxy/errors/500.http
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http
  errorfile 504 /etc/haproxy/errors/504.http

frontend http_80
  mode http
  bind :80
  timeout http-request 5s

  acl acl_letsencrypt_http path_beg /.well-known/acme-challenge/
  use_backend backend_letsencrypt if acl_letsencrypt_http

  acl acl_dx hdr(host) -i dx.domain.com
  acl acl_manikin hdr(host) -i manikin.domain.com
  acl acl_publish hdr(host) -i publish.domain.com
  acl acl_publish-edeka hdr(host) -i publish-edeka.domain.com
  acl acl_zws hdr(host) -i zws.domain.com
  acl acl_easyjob hdr(host) -i easyjob.domain.com

  # Define a rule to detect SSL
  acl acl_hasSSL ssl_fc

  # Use rule acl_hasSSL to detect SSL and if not redirect to https
  redirect scheme https if !acl_hasSSL acl_zws !acl_letsencrypt_http
  redirect scheme https if !acl_hasSSL acl_easyjob !acl_letsencrypt_http
  redirect scheme https if !acl_hasSSL acl_dx !acl_letsencrypt_http
  redirect scheme https if !acl_hasSSL acl_manikin !acl_letsencrypt_http
  redirect scheme https if !acl_hasSSL acl_publish-edeka !acl_letsencrypt_http

  # Define non-SSL hosts that should be directed to their backend directly
  use_backend backend_publish if acl_publish

# intermediate frontend to handle client certificates when "verifiy required" externally
frontend https_tcp_443
  bind :443
  option tcplog
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }

  acl networks_allowed src 192.168.124.0/24 192.168.126.0/24 192.168.127.0/24 192.168.223.0/24 192.168.224.0/24 172.20.3.0/24 172.20.4.0/22 172.20.8.0/22

  use_backend loop_clientcertenabled if { req_ssl_sni -i zws.domain.com or req_ssl_sni -i zws.domain.com } !networks_allowed
  default_backend loop_default

backend loop_clientcertenabled
  server loopback-for-tls abns@ssl_clientcert send-proxy-v2
backend loop_default
  server loopback-for-tls abns@ssl_default send-proxy-v2

frontend https_443_clientcert
  mode http
  bind abns@ssl_clientcert accept-proxy crt-list /etc/haproxy/certmappings.list ssl verify required ca-file /etc/haproxy/cacert.pem
  http-response set-header Strict-Transport-Security max-age=15768000

  # act definition to base check if user provided a certificate
  acl has_cert ssl_fc_has_crt

  # acl definition to check expiry of certificate
  acl valid_cert_expired ssl_c_verify 10

  use_backend backend_zws if { req_ssl_sni -i zws.domain.com } has_cert !valid_cert_expired
  use_backend backend_easyjob if { req_ssl_sni -i easyjob.domain.com } has_cert !valid_cert_expired

frontend https_443_default
  mode http
  bind abns@ssl_default accept-proxy crt-list /etc/haproxy/certmappings.list ssl
  http-response set-header Strict-Transport-Security max-age=15768000

  # define backends and conditionals
  use_backend backend_dx if { ssl_fc_sni dx.domain.com }
  use_backend backend_manikin if { ssl_fc_sni manikin.domain.com }
  use_backend backend_publish if { ssl_fc_sni publish.domain.com }
  use_backend backend_publish-edeka if { ssl_fc_sni publish-edeka.domain.com }
  use_backend backend_zws if { ssl_fc_sni zws.domain.com }
  use_backend backend_easyjob if { ssl_fc_sni easyjob.domain.com }

backend backend_letsencrypt
  mode http
  server localhost 127.0.0.1:8080

backend backend_dx
  mode http
  server dx 192.168.99.4:80

backend backend_manikin
  mode http
  server manikin-srv 172.20.4.255:80

backend backend_publish-edeka
  mode http
  server publish-edeka 192.168.99.32:80

backend backend_zws
  mode http
  server zws 192.168.99.9:80

backend backend_easyjob
  mode http
  server easyjob 172.20.3.26:80

any help is greatly appreciated

Posts: 1

Participants: 1

Read full topic