Welcome! Log In Create A New Profile

Advanced

HAproxy / Reverse proxy Debian

Posted by Thierry 
Thierry
HAproxy / Reverse proxy Debian
January 12, 2017 09:30AM
Hi,

Hi,

Seems to have a little problem with my SSL config:

....
....

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

ssl-default-server-options no-sslv3
ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

defaults
log global
mode http
option forwardfor
option http-server-close
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth toto:lolo29

frontend email-https
bind *:888 ssl crt /etc/ssl/certs/cert.crt
reqadd X-Forwarded-Proto:\ https
default_backend https-email

frontend www-https
bind *:443 ssl crt /etc/ssl/certs/cert.crt
reqadd X-Forwarded-Proto:\ https
default_backend https-www

backend https-email
redirect scheme https if !{ ssl_fc }
server hostname ip_email_server:888

backend https-www
redirect scheme https if !{ ssl_fc }
server hostname ip_web_server:443

The main plan is to forward all HTTPS (port:443) requests to my web server
and all HTTPS(port:888) to my email server.

Do you see any mistake in my config ?

Logs from HAproxy:

haproxy[15953]: [ALERT] 011/101209 (15953) : Proxy 'email-https': no SSL certificate specified for bind '*:888' at [/etc/haproxy/haproxy.cfg:52] (use 'crt').
Jan 12 10:12:09 proxy haproxy[15953]: [ALERT] 011/101209 (15953) : Proxy 'www-https': no SSL certificate specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:57] (use 'crt').
Jan 12 10:12:09 proxy haproxy[15953]: [ALERT] 011/101209 (15953) : Fatal errors found in configuration.

Thx



--
Cordialement,
Thierry e-mail : lenaigst@maelenn.org
PGP Key: 0xB7E3B9CD
Daniel Schneller
Re: HAproxy / Reverse proxy Debian
January 12, 2017 09:50AM
Thierry,

always helps to know the haproxy version you use.
As for your error message, do you have private key, your site’s certificate and all necessary chain certificates in the crt files you reference in your config?

IIRC they need to be in the order

1. key
2. site cert (“leaf”)
3. intermediates

Make sure to have these files not world-readable as they contain secret crypto material.

HTH,
Daniel


--
Daniel Schneller
Principal Cloud Engineer

CenterDevice GmbH | Hochstraße 11
| 42697 Solingen
tel: +49 1754155711 | Deutschland
daniel.schneller@centerdevice.de | www.centerdevice.de

Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431


> On 12. Jan. 2017, at 09:23, Thierry <lenaigst@maelenn.org> wrote:
>
> no SSL certificate specified for bind '*:888' at [/etc/haproxy/haproxy.cfg:52] (use 'crt')
Daniel Schneller
Re: HAproxy / Reverse proxy Debian
January 12, 2017 01:50PM
Re-adding the list.

And:

> Do I have to "cat file.key file.crt file.pem > certi.chained.crt" ??

Yes. Though I am not sure what file.crt and file.pem are :)

Cheers,
Daniel


--
Daniel Schneller
Principal Cloud Engineer

CenterDevice GmbH | Hochstraße 11
| 42697 Solingen
tel: +49 1754155711 | Deutschland
daniel.schneller@centerdevice.de | www.centerdevice.de

Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431


> On 12. Jan. 2017, at 13:27, Thierry <lenaigst@maelenn.org> wrote:
>
> Hi,
>
> You are right, I am using the v1.7.1-1 on Debian.
> I do have paid ssl certificate (.key, .crt, .pem). They all are in non world-readable folder.
> Do I have to "cat file.key file.crt file.pem > certi.chained.crt" ??
>
> Thx
>
>> Thierry,
>
>
>> always helps to know the haproxy version you use.
>> As for your error message, do you have private key, your site’s
>> certificate and all necessary chain certificates in the crt files you reference in your config?
>
>
>> IIRC they need to be in the order
>
>
>> 1. key
>> 2. site cert (“leaf”)
>> 3. intermediates
>
>
>> Make sure to have these files not world-readable as they contain secret crypto material.
>
>
>> HTH,
>> Daniel
>
>
>
>
>
>
Thierry
Re: HAproxy / Reverse proxy Debian
January 12, 2017 02:20PM
Re: HAproxy / Reverse proxy Debian


Bonjour Daniel,

I have resolved my problem, HAproxy do start now (ssl ok).
But when trying to reach my email server, I now do have a:

400 Bad gateway - The plain HTTP request was sent to HTTPS port - Nginx

It should not be the case because 'reqadd x-forwarded-proto:\ https' suppose to correct this ?? And with 'redirect scheme https if !{ ssl_fc }' it should be 100% full HTTPS.

frontend email-https
&nbsp; &nbsp; &nbsp; &nbsp;bind *:444 ssl crt /etc/ssl/private/full_certs.crt
&nbsp; &nbsp; &nbsp; &nbsp;reqadd X-Forwarded-Proto:\ https
&nbsp; &nbsp; &nbsp; &nbsp;default_backend https-email

backend https-email
&nbsp; &nbsp; &nbsp; &nbsp;redirect scheme https if !{ ssl_fc }
&nbsp; &nbsp; &nbsp; &nbsp;server email_hostname ip_email_server:888

Thx





Le jeudi 12 janvier 2017 &#224; 14:44:19, vous &#233;criviez :





Re-adding the list.

And:





Do I have to "cat file.key file.crt file.pem &gt; certi.chained.crt" ??



Yes. Though I am not sure what file.crt and file.pem are :)








Cheers,
Daniel


--
Daniel Schneller
Principal Cloud Engineer

CenterDevice GmbH &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| Hochstra&#223;e 11
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | 42697 Solingen
tel: +49 1754155711 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| Deutschland
daniel.schneller@centerdevice.de &nbsp; | www.centerdevice.de

Gesch&#228;ftsf&#252;hrung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431






On 12. Jan. 2017, at 13:27, Thierry &lt;lenaigst@maelenn.org&gt; wrote:

Hi,

You are right, I am using the v1.7.1-1 on Debian.
I do have paid ssl certificate (.key, .crt, .pem). They all are in non world-readable folder.
Do I have to "cat file.key file.crt file.pem &gt; certi.chained.crt" ??

Thx





Thierry,








always helps to know the haproxy version you use.
As for your error message, do you have private key, your site&#8217;s
certificate and all necessary chain certificates in the crt files you reference in your config?








IIRC they need to be in the order








1. key
2. site cert (&#8220;leaf&#8221;)
3. intermediates








Make sure to have these files not world-readable as they contain secret crypto material.








HTH,
Daniel
















--
Cordialement,
Thierry &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;e-mail : lenaigst@maelenn.org
Daniel Schneller
Re: HAproxy / Reverse proxy Debian
January 12, 2017 02:20PM
Sounds as if you have nginx set up for TLS termination, too.
This does not make sense, because haproxy will already have decrypted the traffic.
Make sure nginx does not expect https on what in your config would be ip_email_server:888.



--
Daniel Schneller
Principal Cloud Engineer

CenterDevice GmbH | Hochstraße 11
| 42697 Solingen
tel: +49 1754155711 | Deutschland
daniel.schneller@centerdevice.de | www.centerdevice.de

Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431


> On 12. Jan. 2017, at 14:14, Thierry <lenaigst@maelenn.org> wrote:
>
> Bonjour Daniel,
>
> I have resolved my problem, HAproxy do start now (ssl ok).
> But when trying to reach my email server, I now do have a:
>
> 400 Bad gateway - The plain HTTP request was sent to HTTPS port - Nginx
>
> It should not be the case because 'reqadd x-forwarded-proto:\ https' suppose to correct this ?? And with 'redirect scheme https if !{ ssl_fc }' it should be 100% full HTTPS.
>
> frontend email-https
> bind *:444 ssl crt /etc/ssl/private/full_certs.crt
> reqadd X-Forwarded-Proto:\ https
> default_backend https-email
>
> backend https-email
> redirect scheme https if !{ ssl_fc }
> server email_hostname ip_email_server:888
>
> Thx
>
>
>
>
>
> Le jeudi 12 janvier 2017 à 14:44:19, vous écriviez :
>
>
> Re-adding the list.
>
> And:
>
>
> Do I have to "cat file.key file.crt file.pem > certi.chained.crt" ??
>
> Yes. Though I am not sure what file.crt and file.pem are :)
>
>
>
>
> Cheers,
> Daniel
>
>
> --
> Daniel Schneller
> Principal Cloud Engineer
>
> CenterDevice GmbH | Hochstraße 11
> | 42697 Solingen
> tel: +49 1754155711 | Deutschland
> daniel.schneller@centerdevice.de <mailto:daniel.schneller@centerdevice.de> | www.centerdevice.de http://www.centerdevice.de/
>
> Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
> Michael Rosbach, Handelsregister-Nr.: HRB 18655,
> HR-Gericht: Bonn, USt-IdNr.: DE-815299431
>
>
>
> On 12. Jan. 2017, at 13:27, Thierry <lenaigst@maelenn.org <mailto:lenaigst@maelenn.org>> wrote:
>
> Hi,
>
> You are right, I am using the v1.7.1-1 on Debian.
> I do have paid ssl certificate (.key, .crt, .pem). They all are in non world-readable folder.
> Do I have to "cat file.key file.crt file.pem > certi.chained.crt" ??
>
> Thx
>
>
> Thierry,
>
>
>
> always helps to know the haproxy version you use.
> As for your error message, do you have private key, your site’s
> certificate and all necessary chain certificates in the crt files you reference in your config?
>
>
>
> IIRC they need to be in the order
>
>
>
> 1. key
> 2. site cert (“leaf”)
> 3. intermediates
>
>
>
> Make sure to have these files not world-readable as they contain secret crypto material.
>
>
>
> HTH,
> Daniel
>
>
>
>
>
>
>
>
> --
> Cordialement,
> Thierry e-mail : lenaigst@maelenn.org <mailto:lenaigst@maelenn.org>
Thierry
Re: HAproxy / Reverse proxy Debian
January 12, 2017 02:40PM
Re: HAproxy / Reverse proxy Debian


Bonjour Daniel,

I am not sure to understand.
I am using iRedMail as email server.
This email server do have ssl/TLS activated.

******

listen 888 http2; &nbsp; &nbsp;
&nbsp; &nbsp;ssl on;
&nbsp; &nbsp;ssl_certificate /etc/ssl/certs/cert.chained.crt;
&nbsp; &nbsp;ssl_certificate_key /etc/ssl/private/cert.key;
&nbsp; &nbsp;ssl_trusted_certificate /etc/ssl/certs/GandiStandardSSLCA2.pem;
&nbsp; &nbsp;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
&nbsp; &nbsp;include /etc/nginx/sslciphers.conf;
&nbsp; &nbsp;add_header Strict-Transport-Security "max-age=15768000";
&nbsp; &nbsp;ssl_prefer_server_ciphers on;
&nbsp; &nbsp;ssl_dhparam /etc/ssl/dhparams.pem;
&nbsp; &nbsp;ssl_stapling on;
&nbsp; &nbsp;ssl_stapling_verify on;
&nbsp; &nbsp;resolver 8.8.8.8 8.8.4.4 valid=300s;
&nbsp; &nbsp;resolver_timeout 10s;

*****

My email client do work well with these certificates and if I change the NAT of my router, I can reach the email web interface (Sogo) through HTTPS request.
Why is not possible to pass HTTPS trafic from the HAproxy to my email server ? Will be the same pb with my web server ..

Thx


Le jeudi 12 janvier 2017 &#224; 15:16:57, vous &#233;criviez :





Sounds as if you have nginx set up for TLS termination, too.
This does not make sense, because haproxy will already have decrypted the traffic.
Make sure nginx does not expect https on what in your config would be ip_email_server:888.



--
Daniel Schneller
Principal Cloud Engineer

CenterDevice GmbH &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| Hochstra&#223;e 11
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | 42697 Solingen
tel: +49 1754155711 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| Deutschland
daniel.schneller@centerdevice.de &nbsp; | www.centerdevice.de

Gesch&#228;ftsf&#252;hrung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431






On 12. Jan. 2017, at 14:14, Thierry &lt;lenaigst@maelenn.org&gt; wrote:

Re: HAproxy / Reverse proxy Debian
Bonjour Daniel,

I have resolved my problem, HAproxy do start now (ssl ok).
But when trying to reach my email server, I now do have a:

400 Bad gateway - The plain HTTP request was sent to HTTPS port - Nginx

It should not be the case because 'reqadd x-forwarded-proto:\ https' suppose to correct this ?? And with 'redirect scheme https if !{ ssl_fc }' it should be 100% full HTTPS.

frontend email-https
&nbsp; &nbsp; &nbsp; bind *:444 ssl crt /etc/ssl/private/full_certs.crt
&nbsp; &nbsp; &nbsp; reqadd X-Forwarded-Proto:\ https
&nbsp; &nbsp; &nbsp; default_backend https-email

backend https-email
&nbsp; &nbsp; &nbsp; redirect scheme https if !{ ssl_fc }
&nbsp; &nbsp; &nbsp; server email_hostname ip_email_server:888

Thx





Le jeudi 12 janvier 2017 &#224; 14:44:19, vous &#233;criviez :





Re-adding the list.

And:





Do I have to "cat file.key file.crt file.pem &gt; certi.chained.crt" ??



Yes. Though I am not sure what file.crt and file.pem are :)









Cheers,
Daniel


--
Daniel Schneller
Principal Cloud Engineer

CenterDevice GmbH &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| Hochstra&#223;e 11
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| 42697 Solingen
tel: +49 1754155711 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| Deutschland
daniel.schneller@centerdevice.de &nbsp; | www.centerdevice.de

Gesch&#228;ftsf&#252;hrung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431






On 12. Jan. 2017, at 13:27, Thierry &lt;lenaigst@maelenn.org&gt; wrote:

Hi,

You are right, I am using the v1.7.1-1 on Debian.
I do have paid ssl certificate (.key, .crt, .pem). They all are in non world-readable folder.
Do I have to "cat file.key file.crt file.pem &gt; certi.chained.crt" ??

Thx





Thierry,








always helps to know the haproxy version you use.
As for your error message, do you have private key, your site&#8217;s
certificate and all necessary chain certificates in the crt files you reference in your config?








IIRC they need to be in the order








1. key
2. site cert (&#8220;leaf&#8221;)
3. intermediates








Make sure to have these files not world-readable as they contain secret crypto material.








HTH,
Daniel















--
Cordialement,
Thierry &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;e-mail : lenaigst@maelenn.org








--
Cordialement,
Thierry &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;e-mail : lenaigst@maelenn.org
Daniel Schneller
Re: HAproxy / Reverse proxy Debian
January 12, 2017 02:40PM
> This email server do have ssl/TLS activated.

As I expected. Apparently that iRedMail server uses nginx.
Right now, if you talk to haproxy, it decrypts the traffic and then sends it on to nginx in plain text. However, on that port nginx expects encrypted traffic — hence your 400 error message.

If you want to configure TLS on the mail server / web server itself, there is no need to configure haproxy for TLS at all.
Switch it to TCP mode and remove the TLS configuration. That way it will just hand the still encrypted traffic over to nginx.




--
Daniel Schneller
Principal Cloud Engineer

CenterDevice GmbH | Hochstraße 11
| 42697 Solingen
tel: +49 1754155711 | Deutschland
daniel.schneller@centerdevice.de | www.centerdevice.de

Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431


> On 12. Jan. 2017, at 14:30, Thierry <lenaigst@maelenn.org> wrote:
>
> Bonjour Daniel,
>
> I am not sure to understand.
> I am using iRedMail as email server.
> This email server do have ssl/TLS activated.
>
> ******
>
> listen 888 http2;
> ssl on;
> ssl_certificate /etc/ssl/certs/cert.chained.crt;
> ssl_certificate_key /etc/ssl/private/cert.key;
> ssl_trusted_certificate /etc/ssl/certs/GandiStandardSSLCA2.pem;
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> include /etc/nginx/sslciphers.conf;
> add_header Strict-Transport-Security "max-age=15768000";
> ssl_prefer_server_ciphers on;
> ssl_dhparam /etc/ssl/dhparams.pem;
> ssl_stapling on;
> ssl_stapling_verify on;
> resolver 8.8.8.8 8.8.4.4 valid=300s;
> resolver_timeout 10s;
>
> *****
>
> My email client do work well with these certificates and if I change the NAT of my router, I can reach the email web interface (Sogo) through HTTPS request.
> Why is not possible to pass HTTPS trafic from the HAproxy to my email server ? Will be the same pb with my web server ..
>
> Thx
>
>
> Le jeudi 12 janvier 2017 à 15:16:57, vous écriviez :
>
>
> Sounds as if you have nginx set up for TLS termination, too.
> This does not make sense, because haproxy will already have decrypted the traffic.
> Make sure nginx does not expect https on what in your config would be ip_email_server:888.
>
>
>
> --
> Daniel Schneller
> Principal Cloud Engineer
>
> CenterDevice GmbH | Hochstraße 11
> | 42697 Solingen
> tel: +49 1754155711 | Deutschland
> daniel.schneller@centerdevice.de <mailto:daniel.schneller@centerdevice.de> | www.centerdevice.de http://www.centerdevice.de/
>
> Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
> Michael Rosbach, Handelsregister-Nr.: HRB 18655,
> HR-Gericht: Bonn, USt-IdNr.: DE-815299431
>
>
>
> On 12. Jan. 2017, at 14:14, Thierry <lenaigst@maelenn.org <mailto:lenaigst@maelenn.org>> wrote:
>
> Re: HAproxy / Reverse proxy Debian
> Bonjour Daniel,
>
> I have resolved my problem, HAproxy do start now (ssl ok).
> But when trying to reach my email server, I now do have a:
>
> 400 Bad gateway - The plain HTTP request was sent to HTTPS port - Nginx
>
> It should not be the case because 'reqadd x-forwarded-proto:\ https' suppose to correct this ?? And with 'redirect scheme https if !{ ssl_fc }' it should be 100% full HTTPS.
>
> frontend email-https
> bind *:444 ssl crt /etc/ssl/private/full_certs.crt
> reqadd X-Forwarded-Proto:\ https
> default_backend https-email
>
> backend https-email
> redirect scheme https if !{ ssl_fc }
> server email_hostname ip_email_server:888
>
> Thx
>
>
>
>
>
> Le jeudi 12 janvier 2017 à 14:44:19, vous écriviez :
>
>
> Re-adding the list.
>
> And:
>
>
> Do I have to "cat file.key file.crt file.pem > certi.chained.crt" ??
>
> Yes. Though I am not sure what file.crt and file.pem are :)
>
>
>
>
>
> Cheers,
> Daniel
>
>
> --
> Daniel Schneller
> Principal Cloud Engineer
>
> CenterDevice GmbH | Hochstraße 11
> | 42697 Solingen
> tel: +49 1754155711 | Deutschland
> daniel.schneller@centerdevice.de <mailto:daniel.schneller@centerdevice.de> | www.centerdevice.de http://www.centerdevice.de/
>
> Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
> Michael Rosbach, Handelsregister-Nr.: HRB 18655,
> HR-Gericht: Bonn, USt-IdNr.: DE-815299431
>
>
>
> On 12. Jan. 2017, at 13:27, Thierry <lenaigst@maelenn.org <mailto:lenaigst@maelenn.org>> wrote:
>
> Hi,
>
> You are right, I am using the v1.7.1-1 on Debian.
> I do have paid ssl certificate (.key, .crt, .pem). They all are in non world-readable folder.
> Do I have to "cat file.key file.crt file.pem > certi.chained.crt" ??
>
> Thx
>
>
> Thierry,
>
>
>
> always helps to know the haproxy version you use.
> As for your error message, do you have private key, your site’s
> certificate and all necessary chain certificates in the crt files you reference in your config?
>
>
>
> IIRC they need to be in the order
>
>
>
> 1. key
> 2. site cert (“leaf”)
> 3. intermediates
>
>
>
> Make sure to have these files not world-readable as they contain secret crypto material.
>
>
>
> HTH,
> Daniel
>
>
>
>
>
>
>
> --
> Cordialement,
> Thierry e-mail : lenaigst@maelenn.org <mailto:lenaigst@maelenn.org>
>
>
> --
> Cordialement,
> Thierry e-mail : lenaigst@maelenn.org <mailto:lenaigst@maelenn.org>
Thierry
Re: HAproxy / Reverse proxy Debian
January 12, 2017 03:10PM
Re: HAproxy / Reverse proxy Debian


Bonjour Daniel,

From my first post, you can see the config with ssl.
To switch to TCP mode, I have removed:

- All ciphers
- In defaults, I have switch from "mode http" to "mode tcp"
- In frontend email-https, I have remove "reqadd X-Forwarded-Proto:\ https" and "ssl crt /etc/ssl/private/full_certs.crt"
- In backend email-https I have removed "redirect scheme https if !{ ssl_fc }"

new config:

frontend email-https
&nbsp; &nbsp; &nbsp; &nbsp;bind *:888
&nbsp; &nbsp; &nbsp; &nbsp;default_backend https-email

backend https-email
&nbsp; &nbsp; &nbsp; &nbsp;server zobe ip_email_server:888

But when testing, I have now this message: this page cannot be displayed ....

logs from HAproxy:

Jan 12 15:46:47 proxy haproxy[17514]: ip_number:52188 [12/Jan/2017:15:45:57..032] email-https https-email/zobe 1/0/50293 6325 cD 0/0/0/0/0 0/0
Jan 12 15:59:33 proxy haproxy[17514]: ip_number:13246 [12/Jan/2017:15:58:43..626] email-https https-email/zobe 1/0/50275 5807 cD 0/0/0/0/0 0/0




Le jeudi 12 janvier 2017 &#224; 15:35:21, vous &#233;criviez :









This email server do have ssl/TLS activated.



As I expected. Apparently that iRedMail server uses nginx.
Right now, if you talk to haproxy, it decrypts the traffic and then sends it on to nginx in plain text. However, on that port nginx expects encrypted traffic &#8212; hence your 400 error message.

If you want to configure TLS on the mail server / web server itself, there is no need to configure haproxy for TLS at all.
Switch it to TCP mode and remove the TLS configuration. That way it will just hand the still encrypted traffic over to nginx.




--
Daniel Schneller
Principal Cloud Engineer

CenterDevice GmbH &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| Hochstra&#223;e 11
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | 42697 Solingen
tel: +49 1754155711 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| Deutschland
daniel.schneller@centerdevice.de &nbsp; | www.centerdevice.de

Gesch&#228;ftsf&#252;hrung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431






On 12. Jan. 2017, at 14:30, Thierry &lt;lenaigst@maelenn.org&gt; wrote:

Re: HAproxy / Reverse proxy Debian
Bonjour Daniel,

I am not sure to understand.
I am using iRedMail as email server.
This email server do have ssl/TLS activated.

******

listen 888 http2; &nbsp; &nbsp;
&nbsp; ssl on;
&nbsp; ssl_certificate /etc/ssl/certs/cert.chained.crt;
&nbsp; ssl_certificate_key /etc/ssl/private/cert.key;
&nbsp; ssl_trusted_certificate /etc/ssl/certs/GandiStandardSSLCA2.pem;
&nbsp; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
&nbsp; include /etc/nginx/sslciphers.conf;
&nbsp; add_header Strict-Transport-Security "max-age=15768000";
&nbsp; ssl_prefer_server_ciphers on;
&nbsp; ssl_dhparam /etc/ssl/dhparams.pem;
&nbsp; ssl_stapling on;
&nbsp; ssl_stapling_verify on;
&nbsp; resolver 8.8.8.8 8.8.4.4 valid=300s;
&nbsp; resolver_timeout 10s;

*****

My email client do work well with these certificates and if I change the NAT of my router, I can reach the email web interface (Sogo) through HTTPS request.
Why is not possible to pass HTTPS trafic from the HAproxy to my email server ? Will be the same pb with my web server ..

Thx


Le jeudi 12 janvier 2017 &#224; 15:16:57, vous &#233;criviez :





Sounds as if you have nginx set up for TLS termination, too.
This does not make sense, because haproxy will already have decrypted the traffic.
Make sure nginx does not expect https on what in your config would be ip_email_server:888.



--
Daniel Schneller
Principal Cloud Engineer

CenterDevice GmbH &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| Hochstra&#223;e 11
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| 42697 Solingen
tel: +49 1754155711 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| Deutschland
daniel.schneller@centerdevice.de &nbsp; | www.centerdevice.de

Gesch&#228;ftsf&#252;hrung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431






On 12. Jan. 2017, at 14:14, Thierry &lt;lenaigst@maelenn.org&gt; wrote:

Re: HAproxy / Reverse proxy Debian
Bonjour Daniel,

I have resolved my problem, HAproxy do start now (ssl ok).
But when trying to reach my email server, I now do have a:

400 Bad gateway - The plain HTTP request was sent to HTTPS port - Nginx

It should not be the case because 'reqadd x-forwarded-proto:\ https' suppose to correct this ?? And with 'redirect scheme https if !{ ssl_fc }' it should be 100% full HTTPS.

frontend email-https
&nbsp; &nbsp; &nbsp;bind *:444 ssl crt /etc/ssl/private/full_certs.crt
&nbsp; &nbsp; &nbsp;reqadd X-Forwarded-Proto:\ https
&nbsp; &nbsp; &nbsp;default_backend https-email

backend https-email
&nbsp; &nbsp; &nbsp;redirect scheme https if !{ ssl_fc }
&nbsp; &nbsp; &nbsp;server email_hostname ip_email_server:888

Thx





Le jeudi 12 janvier 2017 &#224; 14:44:19, vous &#233;criviez :





Re-adding the list.

And:





Do I have to "cat file.key file.crt file.pem &gt; certi.chained.crt" ??



Yes. Though I am not sure what file.crt and file.pem are :)










Cheers,
Daniel


--
Daniel Schneller
Principal Cloud Engineer

CenterDevice GmbH &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| Hochstra&#223;e 11
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | 42697 Solingen
tel: +49 1754155711 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| Deutschland
daniel.schneller@centerdevice.de &nbsp; | www.centerdevice.de

Gesch&#228;ftsf&#252;hrung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431






On 12. Jan. 2017, at 13:27, Thierry &lt;lenaigst@maelenn.org&gt; wrote:

Hi,

You are right, I am using the v1.7.1-1 on Debian.
I do have paid ssl certificate (.key, .crt, .pem). They all are in non world-readable folder.
Do I have to "cat file.key file.crt file.pem &gt; certi.chained.crt" ??

Thx





Thierry,








always helps to know the haproxy version you use.
As for your error message, do you have private key, your site&#8217;s
certificate and all necessary chain certificates in the crt files you reference in your config?








IIRC they need to be in the order








1. key
2. site cert (&#8220;leaf&#8221;)
3. intermediates








Make sure to have these files not world-readable as they contain secret crypto material.








HTH,
Daniel














--
Cordialement,
Thierry &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;e-mail : lenaigst@maelenn.org








--
Cordialement,
Thierry &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;e-mail : lenaigst@maelenn.org








--
Cordialement,
Thierry &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;e-mail : lenaigst@maelenn.org
Sorry, only registered users may post in this forum.

Click here to login