Okay, so I know that we can either forward HTTPS traffic via haproxy to backend servers intact or have SSL terminated at the proxy server, and let remaining course of the traffic be unencrypted. But is there a way to make haproxy work such that the traffic is decrypted at the server and recrypted before being sent to the backend nodes?
Basically I am getting half the job done with SSL termination, but I want traffic to be encrypted again once it leaves the proxy server.
Is this possible with haproxy on its own? or is there some other tool I could use in combination with haproxy to create and manage HTTPS/SSL sessions with backend servers?
Have you tried setting it up like this:
Haproxy terminates the SSL then, instead of forwarding the unencrypted traffic to your backend on a HTTP port, try forwarding it to a HTTPS port on the backend and wrap that in a self signed cert.
i.e:
SSL Traffic -> haproxy:443(domain cert) -> backend:443(internal cert)
I have set this up before and it worked fine
Related
My server has a main site which have SSL certificate installed. There is also a linux management panel which runs on port 8080 that does not support SSL. What I want is that the traffic from the client to CloudFlare is encrypted with CloudFlare's certificate, but leave the connection from CDN to my VPS server non-secure. Right now the SSL/TLS encryption mode is set to flexible, edge certificates shows active, and also I've turned off "always use https". When i tried to access the 8080 port with https prefix however I couldn't get through. Can someone offer me a way to acheive this: traffic from client to CDN encrypted, while CDN connects unsecured to my server. PS: I'm using the free plan of CloudFlare and since it's a personal site and I do not want to induce extra cost, hope I can solve this with in the free plan.
There are two ways to solve your problem using Cloudflare without any additional cost.
First of all turn ON always use HTTPS
Changing Flexible to Full in SSL/TLS setting in Cloudflare (Simple Way, No need any other setup in your server).
Which will encrypt the data transfer from Cloudflare to your server using a self-signed certificate.
Changing Flexible to Full(Strict) in SSL/TLS setting in Cloudflare (Need some work in your server).
For Full(Strict), Go to your origin server tab in SSL/TLS and press create a certificate to get your SSL Certificate. But this certificate is only valid between your server and cloudflare.
Then you need to install those certificates on your server.
Additional Steps(As you don't have an HTTPS setup in your VPS):
As you are using the port in your Webserver. So reverse proxy your application running on port 8080 using Apache, Nginx on the port 443. Check this answer for some idea.
How can I achieve reverse SSL termination with ha proxy?
From my backend via HAproxy I need to a https enabled web service. How can I successfully proxy all traffic to that service via HAProxy?
Below results in Unable to communicate securely with peer: requested domain name does not match the server's certificate.
frontend foofront
bind 127.0.0.1:443
mode tcp
default_backend foo
backend fooback
mode tcp
balance leastconn
server foo foo.bar.com:443 check
With HAProxy you usually have two options for handling TLS-related scenarios. TLS Passthrough and TLS Termination.
TLS Passthrough
Looks like you're trying to do this in the example you gave.
In this mode, HAProxy does not touch traffic in any way, but is just forwarding it to the backend. When TLS is involved, that means that the backend has to have a proper certificate for a domain it's accessed from - if your HAProxy is handling traffic for myexample.com, backend servers will need to have appropriate certificates for myexample.com installed.
You can always check which certificate is served by using openssl s_client:
openssl s_client -connect localhost:443
TLS Termination
Alternatively, you can terminate TLS traffic on HAProxy itself. This will allow you to use any backend (both encrypted and unencrypted). In this case, HAProxy itself decrypts traffic for myexample.com and forwards it to backend.
In your case, configuration would look something like:
frontend foofront
bind 127.0.0.1:80
bind 127.0.0.1:443 ssl crt /path/to/cert/for/myexample.com
mode tcp
default_backend foo
backend foo
mode tcp
balance leastconn
server foo foo.bar.com:443 check ssl verify none # or verify all to enforce ssl checking
You can find more info on both approaches here.
Hope this helps.
I try to get Cloudflare work with my website.
I have my website running on port 80 and my api on port 8443.
My proxy doesn't have a ssl certificate, I rely only on the one on Cloudflare.
I have set ssl to flexible.
I can access my website, but when I make an API call to my api on port 8443, I have the following message : CloudFlare is unable to establish an SSL connection to the origin server.
Do I need to have a certificate on my proxy for the API ?
Thanks for your help.
It sounds like you're using Cloudflare's Flexible SSL option whereby traffic is unencrypted to the origin web server (but encrypted from Cloudflare's Edge to the end-user).
This setting will only work for port 443->80, not for the other ports Cloudflare supports like 2053 (or 8443 in your case).
If you want to serve SSL traffic through a port other than 443, you will need to ensure your web server is configured to work with Cloudflare in either Full or Full (Strict) SSL mode.
For more info:
What do the SSL options mean?
I have configured apache reverse proxy. In that configuration https connection is possible between client to reverse proxy and again reverse proxy to server. But I want https connection between client to server like forward proxy. The https connection should not be broken at reverse proxy.
Https tunnel New Https tunnel
<===============> <===================>
Client-----------------------Apache Reverse proxy ----------------------------Server
Above solution is not desirable.
Https Tunnel
<========================================>
Client--------------------Apache Reverse proxy ----------------Server
Above solution is desirable.
If end to end https tunnel is not possible in reverse proxy then how can it be ensured that ssl proxying option is safe and even the Reverse proxy administrator(if reverse proxy got compromised) can not decrypt the tunnel or man in middle attack can't be done.
You can't. Because HTTPS by design guarantees that the sender is talking to the receiver via certificates. Your proxy here would be "the man in the middle" :-)
See http://en.wikipedia.org/wiki/Reverse_proxy
In the case of secure websites, a web server may not perform SSL
encryption itself, but instead offloads the task to a reverse proxy
that may be equipped with SSL acceleration hardware. (See SSL
termination proxy.)
What you can do
Client------Apache Reverse proxy----SC--------------SS---------Server
HTTPS SSL HTTP
(listen to 443)
Where SC = Stunnel Client and SS = Stunnel Server
SC must run in the same machine as your apache reverse proxy, while SS must run in your server target.
I would like to set up a TLS authentication on the two-server setup with a load balancer that spreads traffic between them. I do not have access to the load balancer, so I need to set up both servers separately. I need a certificate that would be signed by my own CA that I can pass on to the client which I want to authenticate. I know that it is possible to create a CA that is common for both servers, I am not sure how though. Is it as simple as creating a CA on each server with the same configuration?
I would appreciate some guidance.
TLS uses TCP connections, so the load balancer will only balance the establishment of TCP connections. After that the client is tied to any one of the two servers.
The certificate the servers present to their clients should match the URL or IP of the load balancer, so the clients can check if the certificate matches what they intended to connect to.
If you expose which backend server the client has reach (eg. because the load balancer redirects the connection, instead of tunneling it), your servers will probably need a wildcard certificate.