Anyone have luck with using HAProxy and CA signed certificates? I have my own Microsoft CA and am using it to create CA signed certificates for my connection server, security server and my HAProxy load balanced IP address.
If I connect directly to any of my security servers I have no issues, everything works great. When I connect to the load balanced IP by the host name used in the certificate and DNS it gives me a SSL certificate error. I can view the certificate and see its using the load balanced certificate. My problem is I'm not sure if its failing at the first step (the load balancer) or the security server point. I believe I have it made so it uses the security servers certificate when it is redirected but the debug log is not helpful at all.
Anyone have a sample config that has worked for them by chance?
This works with my certs
listen vdi:443 x.x.x.x:443
mode tcp
option tcplog
balance source
server vdibroker01:443 x.x.x.x:443 check
server vdibroker02:443 x.x.x.x:443 check
Did you installe the cert to the load balancer?
Sam
This is my current config file
frontend LBVIP
mode tcp
bind LoadBalancerVIPHostname:443 ssl crt /etc/haproxy/haproxy.pem crt /etc/haproxy/certs/ ca-file /etc/haproxy/cafile.pem
use_backend Security01 if { ssl_fc_sni SecurityServer01HostName }
use_backend Security02 if { ssl_fc_sni SecurityServer02HostName }
backend Security01
balance source
mode tcp
server secsrv1 HOSTNAMEofSECSRV1
backend Security02
balance source
mode tcp
server secsrv2 HOSTNAMEofSECSRV2
/etc/haproxy/haproxy.pem is the certificate of the Load Balancer's VIP.
/etc/haproxy/certs/ is the location of the security server certificates in .pem format with keys.
/etc/haproxy/cafile.pem is the Root and Intermediate CAs in my infrastructure.
When I use a program to check the certificate and chain it resolves just fine. View seems to be failing me miserably though. Notice anything in particular wrong with it?
I have been running HAproxy same general config that chulerico listed. It knows nothing of and doesn't care about the certs, it just hands off the connection to the security server and happy day. I don't use an internally signed cert on my Security Servers, because they are public facing, but the cert is setup with the hostname that resolves to the load balanced IP.
It looks like you are trying to do SSL offload with HAProxy.
What approach did you use to create your PEM file for HAProxy? The PEM file typically contains multiple certificates including the intermediate CA and root CA certificates.
ca-file is used to verify client certificates, so you can probably remove that.
Keep the CA certs here /etc/haproxy/certs/ as well.
yup,
mode tcp won't do ssl offloading
I'm just passing the connection to the connection server, and there is no cert in the haproxy box
couple with keep alive is a neat setup.
Sam
So this might be my problem, TCP mode won't do ssl offloading? Can you do it with http ssl terminiation? It would end up looking more something like this:
frontend CorpView
bind *:80
bind *:443 ssl crt /etc/haproxy/haproxy.pem
mode http
default_backend ViewSec
backend ViewSec
mode http
balance roundrobin
option forwardfor
option http-server-close
server view01 *:443 check
server view02 *:443 check
http-request set-header X-Forward-Port %[dst_port]
http-request add-header X-Forward-Porto https if { ssl_fc }
This doesn't seem to work with View though, I get a HTTP 503 error which I believe is a gateway problem. This might mean HTTP won't work with it.
sutter,
before there wasn't a straight forward way of doing it, haproxy needed to be couple with stunnel, etc not clean
will try to test it out later today like this, it seems haproxy added support for ssl offload at later point (what version you're using?)
Using SSL Certificates with HAProxy - Servers for Hackers
Sam
I'm currently using 1.5.4. So SSL termination is an option but it only appears to work with HTTP which won't work with View it seems.
is the IP and the DNS name of the VIP in the SSL certs on the security servers as a SAN name?
sutter,
view can be set to http
example config
Configure Each View Connection Server for HTTP Traffic
https://techlib.barracuda.com/load/deployinvmwareview
I tried above in older view versions, (at the time it was about getting better performance from the brokers)
so two choices here, stick with mode tcp and let all traffic be encrypted, or disable https at the brokers so you can use mode http.
sam