Problem: I have an application connecting to several databases (Redis, Riak, etc) via TCP through HAProxy. Like this:
app -> HAProxy --TLS--> HAProxy -> Redis
Access to HAProxy on Redis side is managed by Chef via iptables. We already use CFSSL for mutual TLS authentication on Nginx<->Nginx connections because it's way faster than waiting until Chef updates configuration.
Wanna make HAProxy on application side use client-side TLS certificate when connecting to HAProxy on DB side.
Actually any other proxy will do on client side but we'd like to keep things simple.
Related
My server has a main site which have SSL certificate installed. There is also a linux management panel which runs on port 8080 that does not support SSL. What I want is that the traffic from the client to CloudFlare is encrypted with CloudFlare's certificate, but leave the connection from CDN to my VPS server non-secure. Right now the SSL/TLS encryption mode is set to flexible, edge certificates shows active, and also I've turned off "always use https". When i tried to access the 8080 port with https prefix however I couldn't get through. Can someone offer me a way to acheive this: traffic from client to CDN encrypted, while CDN connects unsecured to my server. PS: I'm using the free plan of CloudFlare and since it's a personal site and I do not want to induce extra cost, hope I can solve this with in the free plan.
There are two ways to solve your problem using Cloudflare without any additional cost.
First of all turn ON always use HTTPS
Changing Flexible to Full in SSL/TLS setting in Cloudflare (Simple Way, No need any other setup in your server).
Which will encrypt the data transfer from Cloudflare to your server using a self-signed certificate.
Changing Flexible to Full(Strict) in SSL/TLS setting in Cloudflare (Need some work in your server).
For Full(Strict), Go to your origin server tab in SSL/TLS and press create a certificate to get your SSL Certificate. But this certificate is only valid between your server and cloudflare.
Then you need to install those certificates on your server.
Additional Steps(As you don't have an HTTPS setup in your VPS):
As you are using the port in your Webserver. So reverse proxy your application running on port 8080 using Apache, Nginx on the port 443. Check this answer for some idea.
AWS NLB supports TLS termination
https://aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/
NLB being a Layer 4 load balancer I would expect it to work in a passthrough mode by directing the incoming packets to one of the backends without much of state maintenance (except for the flow tracking)
Are there any details available on how AWS implements the TLS termination in NLB ?
Is it possible to do it with open source tooling (like IPVS or haproxy) or AWS has some secret sauce here ?
The TLS termination itself is just what it says it is. TLS is a generic streaming protocol just like TCP one level up so you can unwrap it at the LB in a generic way. The magic is that they keep the IPs intact probably with very fancy routing magic, but it seems unlikely AWS will tell you how they did it.
In my SO question here, I have an example of how to terminate a TCP session in HAProxy and pass the unencrypted traffic to a backend.
In short, you need to use ssl in the frontend bind section and both frontend and backend configurations require use of tcp mode. Here is an example of terminating on port 443 and forwarding to port 4567.
frontend tcp-proxy
bind :443 ssl crt combined-cert-key.pem
mode tcp
default_backend bk_default
backend bk_default
mode tcp
server server1 1.2.3.4:4567
How can I achieve reverse SSL termination with ha proxy?
From my backend via HAproxy I need to a https enabled web service. How can I successfully proxy all traffic to that service via HAProxy?
Below results in Unable to communicate securely with peer: requested domain name does not match the server's certificate.
frontend foofront
bind 127.0.0.1:443
mode tcp
default_backend foo
backend fooback
mode tcp
balance leastconn
server foo foo.bar.com:443 check
With HAProxy you usually have two options for handling TLS-related scenarios. TLS Passthrough and TLS Termination.
TLS Passthrough
Looks like you're trying to do this in the example you gave.
In this mode, HAProxy does not touch traffic in any way, but is just forwarding it to the backend. When TLS is involved, that means that the backend has to have a proper certificate for a domain it's accessed from - if your HAProxy is handling traffic for myexample.com, backend servers will need to have appropriate certificates for myexample.com installed.
You can always check which certificate is served by using openssl s_client:
openssl s_client -connect localhost:443
TLS Termination
Alternatively, you can terminate TLS traffic on HAProxy itself. This will allow you to use any backend (both encrypted and unencrypted). In this case, HAProxy itself decrypts traffic for myexample.com and forwards it to backend.
In your case, configuration would look something like:
frontend foofront
bind 127.0.0.1:80
bind 127.0.0.1:443 ssl crt /path/to/cert/for/myexample.com
mode tcp
default_backend foo
backend foo
mode tcp
balance leastconn
server foo foo.bar.com:443 check ssl verify none # or verify all to enforce ssl checking
You can find more info on both approaches here.
Hope this helps.
I implemented a server with two deploy of different services(Apache and OpenFire).
And I want to implement https for my server, so my question is.
How to implement the SSL certificate on my server with two different application working with different ports?
I was looking about how to create a NAT network but I'm not sure if this is the best way to do it.
Apache is an HTTP Server and for SSL by default HTTP Servers use 443 port.
However, Openfire in an XMPP Server and you can enable TLS in it which will by default use 5222 port. And for Openfire's admin application, HTTPS will be on 9091 port by default.
So you can have both servers on same machine with SSL enabled.
Okay, so I know that we can either forward HTTPS traffic via haproxy to backend servers intact or have SSL terminated at the proxy server, and let remaining course of the traffic be unencrypted. But is there a way to make haproxy work such that the traffic is decrypted at the server and recrypted before being sent to the backend nodes?
Basically I am getting half the job done with SSL termination, but I want traffic to be encrypted again once it leaves the proxy server.
Is this possible with haproxy on its own? or is there some other tool I could use in combination with haproxy to create and manage HTTPS/SSL sessions with backend servers?
Have you tried setting it up like this:
Haproxy terminates the SSL then, instead of forwarding the unencrypted traffic to your backend on a HTTP port, try forwarding it to a HTTPS port on the backend and wrap that in a self signed cert.
i.e:
SSL Traffic -> haproxy:443(domain cert) -> backend:443(internal cert)
I have set this up before and it worked fine