HAProxy as a reverse proxy for backend already ssl enabled and SSL terminator for a backend exposed in port...
C-152 carb heat on before landing in hot weather?
Finding closed forms for various addition laws on elliptic curves, FullSimplify fails even with assumptions?
STM Microcontroller burns every time
Does anycast addressing add additional latency in any way?
How many codes are possible?
How to append a matrix element by element?
Why aren't (poly-)cotton tents more popular?
Using “sparkling” as a diminutive of “spark” in a poem
In the Marvel universe, can a human have a baby with any non-human?
How to perform Login Authentication at the client-side?
Intuitively, why does putting capacitors in series decrease the equivalent capacitance?
How to determine what is the correct level of detail when modelling?
Is this one of the engines from the 9/11 aircraft?
Ending: accusative or not?
Why does Darth Sidious need bodyguards?
Links to webpages in books
Architecture of networked game engine
Why is Madam Hooch not a professor?
Syntax Error with 'if'
Does the UK have a written constitution?
"It will become the talk of Paris" - translation into French
Does the Paladin's Aura of Protection affect only either her or ONE ally in range?
Using symmetry of Riemann tensor to vanish components
Pull-up sequence accumulator counter
HAProxy as a reverse proxy for backend already ssl enabled and SSL terminator for a backend exposed in port 80
haproxy serving wrong SSL certificate for a subdomainApache Reverse Proxy - How to disable SSL frontside but allow SSL backsideReverse proxy multiple backend web serversOpenBSD relayd SSL reverse proxy for 3 web serversSimple reverse proxy for old printer with old SSLHaproxy reverse proxy WITH app redirectstcp reverse proxy to map container's port to host portGenerate KeyStore and TrustStore for SSL 1.2Nginx reverse proxy - .js and .css forbiddenApache 2.4 with self-signed certificates always redirect to the default virtual host
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I have 4 servers:
- proxy_server,
- $BK_SERVER_001,
- $BK_SERVER_002 and
- $BK_SERVER_003
The "proxy_server" only has an HAProxy enabled service with this configuration:
(please look at the rows marked as OPTION 1 & OPTION 2)
# StackOverflow
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
timeout connect 10s
timeout client 30s
timeout server 30s
log global
mode http
option httplog
option dontlognull
# ***************** port 80 defs ************
frontend http_in
mode http
option httplog
bind *:80
option forwardfor
acl host_goose hdr(host) -i www.example.edu
redirect scheme https code 301 if !host_goose
use_backend http_goose if host_goose
backend http_goose
mode http
server sonar $BK_SERVER_003:8080
# ***************** port 443 defs ************
frontend https_in
mode tcp
option tcplog
# With this one, all works except sonar (OPTION 1)
# bind *:443
# With this one, only works sonar (OPTION 2)
bind *:443 ssl crt sonar.pem
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if tls
acl host_server001 req.ssl_sni -i opengrok.ci.example.edu
acl host_server002 req.ssl_sni -i gitlab.ci.example.edu
acl host_server003 req.ssl_sni -i jenkins.ci.example.edu
acl host_server004 req.ssl_sni -i nexus.ci.example.edu
acl host_server005 req.ssl_sni -i rancher.ci.example.edu
acl host_server006 req.ssl_sni -i reports.ci.example.edu
acl host_server007 hdr(host) -i sonar.ci.example.edu
use_backend https_server001 if host_server001
use_backend https_server002 if host_server002
use_backend https_server003 if host_server003
use_backend https_server004 if host_server004
use_backend https_server005 if host_server005
use_backend https_server006 if host_server006
use_backend https_server007 if host_server007
#opengrok
backend https_server001
mode tcp
server server001 $BK_SERVER_001:28443
#gitlab
backend https_server002
mode tcp
server server002 $BK_SERVER_002:10443
#jenkins
backend https_server003
mode tcp
server server003 $BK_SERVER_001:7443
#nexus
backend https_server004
mode tcp
server server004 $BK_SERVER_001:8443
#rancher
backend https_server005
mode tcp
server server005 $BK_SERVER_002:9443
#reports
backend https_server006
mode tcp
server server006 $BK_SERVER_001:4443
#sonar
backend https_server007
mode http
server server007 $BK_SERVER_001:9000
For OPTION 2, HAProxy successfully publish the service "sonar" using the given certificate, however, the rest of services are trying to use that certificate.
Since the other services are already SSL enabled in their corresponding backends, I do NOT have their certificates.
If I use OPTION 1, HAProxy successfully publish all the already-ssl-backend services except "sonar" service, because it needs a certificate that I have only at the proxy_server level.
Is it possible to have all the services secured with SSL if (like I said) some of them are already secured but some others will be secured by the HAProxy with the only one SSL that I have access for "sonar" service? How?
Please also note that I do not have ssh access to the $BK_SERVER_xxx servers and that I have all the DNS pointing their names to "proxy_server".
ssl port-forwarding certificates reverse-proxy haproxy
asked 49 mins ago
GooseGoose
11 bronze badge
New contributor
Goose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have 4 servers:
- proxy_server,
- $BK_SERVER_001,
- $BK_SERVER_002 and
- $BK_SERVER_003
The "proxy_server" only has an HAProxy enabled service with this configuration:
(please look at the rows marked as OPTION 1 & OPTION 2)
# StackOverflow
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
timeout connect 10s
timeout client 30s
timeout server 30s
log global
mode http
option httplog
option dontlognull
# ***************** port 80 defs ************
frontend http_in
mode http
option httplog
bind *:80
option forwardfor
acl host_goose hdr(host) -i www.example.edu
redirect scheme https code 301 if !host_goose
use_backend http_goose if host_goose
backend http_goose
mode http
server sonar $BK_SERVER_003:8080
# ***************** port 443 defs ************
frontend https_in
mode tcp
option tcplog
# With this one, all works except sonar (OPTION 1)
# bind *:443
# With this one, only works sonar (OPTION 2)
bind *:443 ssl crt sonar.pem
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if tls
acl host_server001 req.ssl_sni -i opengrok.ci.example.edu
acl host_server002 req.ssl_sni -i gitlab.ci.example.edu
acl host_server003 req.ssl_sni -i jenkins.ci.example.edu
acl host_server004 req.ssl_sni -i nexus.ci.example.edu
acl host_server005 req.ssl_sni -i rancher.ci.example.edu
acl host_server006 req.ssl_sni -i reports.ci.example.edu
acl host_server007 hdr(host) -i sonar.ci.example.edu
use_backend https_server001 if host_server001
use_backend https_server002 if host_server002
use_backend https_server003 if host_server003
use_backend https_server004 if host_server004
use_backend https_server005 if host_server005
use_backend https_server006 if host_server006
use_backend https_server007 if host_server007
#opengrok
backend https_server001
mode tcp
server server001 $BK_SERVER_001:28443
#gitlab
backend https_server002
mode tcp
server server002 $BK_SERVER_002:10443
#jenkins
backend https_server003
mode tcp
server server003 $BK_SERVER_001:7443
#nexus
backend https_server004
mode tcp
server server004 $BK_SERVER_001:8443
#rancher
backend https_server005
mode tcp
server server005 $BK_SERVER_002:9443
#reports
backend https_server006
mode tcp
server server006 $BK_SERVER_001:4443
#sonar
backend https_server007
mode http
server server007 $BK_SERVER_001:9000
For OPTION 2, HAProxy successfully publish the service "sonar" using the given certificate, however, the rest of services are trying to use that certificate.
Since the other services are already SSL enabled in their corresponding backends, I do NOT have their certificates.
If I use OPTION 1, HAProxy successfully publish all the already-ssl-backend services except "sonar" service, because it needs a certificate that I have only at the proxy_server level.
Is it possible to have all the services secured with SSL if (like I said) some of them are already secured but some others will be secured by the HAProxy with the only one SSL that I have access for "sonar" service? How?
Please also note that I do not have ssh access to the $BK_SERVER_xxx servers and that I have all the DNS pointing their names to "proxy_server".
ssl port-forwarding certificates reverse-proxy haproxy
asked 49 mins ago
GooseGoose
11 bronze badge
New contributor
Goose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have 4 servers:
- proxy_server,
- $BK_SERVER_001,
- $BK_SERVER_002 and
- $BK_SERVER_003
The "proxy_server" only has an HAProxy enabled service with this configuration:
(please look at the rows marked as OPTION 1 & OPTION 2)
# StackOverflow
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
timeout connect 10s
timeout client 30s
timeout server 30s
log global
mode http
option httplog
option dontlognull
# ***************** port 80 defs ************
frontend http_in
mode http
option httplog
bind *:80
option forwardfor
acl host_goose hdr(host) -i www.example.edu
redirect scheme https code 301 if !host_goose
use_backend http_goose if host_goose
backend http_goose
mode http
server sonar $BK_SERVER_003:8080
# ***************** port 443 defs ************
frontend https_in
mode tcp
option tcplog
# With this one, all works except sonar (OPTION 1)
# bind *:443
# With this one, only works sonar (OPTION 2)
bind *:443 ssl crt sonar.pem
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if tls
acl host_server001 req.ssl_sni -i opengrok.ci.example.edu
acl host_server002 req.ssl_sni -i gitlab.ci.example.edu
acl host_server003 req.ssl_sni -i jenkins.ci.example.edu
acl host_server004 req.ssl_sni -i nexus.ci.example.edu
acl host_server005 req.ssl_sni -i rancher.ci.example.edu
acl host_server006 req.ssl_sni -i reports.ci.example.edu
acl host_server007 hdr(host) -i sonar.ci.example.edu
use_backend https_server001 if host_server001
use_backend https_server002 if host_server002
use_backend https_server003 if host_server003
use_backend https_server004 if host_server004
use_backend https_server005 if host_server005
use_backend https_server006 if host_server006
use_backend https_server007 if host_server007
#opengrok
backend https_server001
mode tcp
server server001 $BK_SERVER_001:28443
#gitlab
backend https_server002
mode tcp
server server002 $BK_SERVER_002:10443
#jenkins
backend https_server003
mode tcp
server server003 $BK_SERVER_001:7443
#nexus
backend https_server004
mode tcp
server server004 $BK_SERVER_001:8443
#rancher
backend https_server005
mode tcp
server server005 $BK_SERVER_002:9443
#reports
backend https_server006
mode tcp
server server006 $BK_SERVER_001:4443
#sonar
backend https_server007
mode http
server server007 $BK_SERVER_001:9000
For OPTION 2, HAProxy successfully publish the service "sonar" using the given certificate, however, the rest of services are trying to use that certificate.
Since the other services are already SSL enabled in their corresponding backends, I do NOT have their certificates.
If I use OPTION 1, HAProxy successfully publish all the already-ssl-backend services except "sonar" service, because it needs a certificate that I have only at the proxy_server level.
Is it possible to have all the services secured with SSL if (like I said) some of them are already secured but some others will be secured by the HAProxy with the only one SSL that I have access for "sonar" service? How?
Please also note that I do not have ssh access to the $BK_SERVER_xxx servers and that I have all the DNS pointing their names to "proxy_server".
ssl port-forwarding certificates reverse-proxy haproxy
asked 49 mins ago
GooseGoose
11 bronze badge
New contributor
Goose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have 4 servers:
- proxy_server,
- $BK_SERVER_001,
- $BK_SERVER_002 and
- $BK_SERVER_003
The "proxy_server" only has an HAProxy enabled service with this configuration:
(please look at the rows marked as OPTION 1 & OPTION 2)
# StackOverflow
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
timeout connect 10s
timeout client 30s
timeout server 30s
log global
mode http
option httplog
option dontlognull
# ***************** port 80 defs ************
frontend http_in
mode http
option httplog
bind *:80
option forwardfor
acl host_goose hdr(host) -i www.example.edu
redirect scheme https code 301 if !host_goose
use_backend http_goose if host_goose
backend http_goose
mode http
server sonar $BK_SERVER_003:8080
# ***************** port 443 defs ************
frontend https_in
mode tcp
option tcplog
# With this one, all works except sonar (OPTION 1)
# bind *:443
# With this one, only works sonar (OPTION 2)
bind *:443 ssl crt sonar.pem
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if tls
acl host_server001 req.ssl_sni -i opengrok.ci.example.edu
acl host_server002 req.ssl_sni -i gitlab.ci.example.edu
acl host_server003 req.ssl_sni -i jenkins.ci.example.edu
acl host_server004 req.ssl_sni -i nexus.ci.example.edu
acl host_server005 req.ssl_sni -i rancher.ci.example.edu
acl host_server006 req.ssl_sni -i reports.ci.example.edu
acl host_server007 hdr(host) -i sonar.ci.example.edu
use_backend https_server001 if host_server001
use_backend https_server002 if host_server002
use_backend https_server003 if host_server003
use_backend https_server004 if host_server004
use_backend https_server005 if host_server005
use_backend https_server006 if host_server006
use_backend https_server007 if host_server007
#opengrok
backend https_server001
mode tcp
server server001 $BK_SERVER_001:28443
#gitlab
backend https_server002
mode tcp
server server002 $BK_SERVER_002:10443
#jenkins
backend https_server003
mode tcp
server server003 $BK_SERVER_001:7443
#nexus
backend https_server004
mode tcp
server server004 $BK_SERVER_001:8443
#rancher
backend https_server005
mode tcp
server server005 $BK_SERVER_002:9443
#reports
backend https_server006
mode tcp
server server006 $BK_SERVER_001:4443
#sonar
backend https_server007
mode http
server server007 $BK_SERVER_001:9000
For OPTION 2, HAProxy successfully publish the service "sonar" using the given certificate, however, the rest of services are trying to use that certificate.
Since the other services are already SSL enabled in their corresponding backends, I do NOT have their certificates.
If I use OPTION 1, HAProxy successfully publish all the already-ssl-backend services except "sonar" service, because it needs a certificate that I have only at the proxy_server level.
Is it possible to have all the services secured with SSL if (like I said) some of them are already secured but some others will be secured by the HAProxy with the only one SSL that I have access for "sonar" service? How?
Please also note that I do not have ssh access to the $BK_SERVER_xxx servers and that I have all the DNS pointing their names to "proxy_server".
ssl port-forwarding certificates reverse-proxy haproxy
ssl port-forwarding certificates reverse-proxy haproxy
asked 49 mins ago
GooseGoose
11 bronze badge
New contributor
Goose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 49 mins ago
GooseGoose
11 bronze badge
New contributor
Goose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 43 mins ago
Goose
asked 49 mins ago
GooseGoose
11 bronze badge
New contributor
Goose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 49 mins ago
GooseGoose
11 bronze badge
asked 49 mins ago
GooseGoose
11 bronze badge
11 bronze badge
New contributor
Goose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Goose is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Goose is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f526452%2fhaproxy-as-a-reverse-proxy-for-backend-already-ssl-enabled-and-ssl-terminator-fo%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Goose is a new contributor. Be nice, and check out our Code of Conduct.
Goose is a new contributor. Be nice, and check out our Code of Conduct.
Goose is a new contributor. Be nice, and check out our Code of Conduct.
Goose is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f526452%2fhaproxy-as-a-reverse-proxy-for-backend-already-ssl-enabled-and-ssl-terminator-fo%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
