Haproxy acl rules for SSL

1
votes

I need to configure Haproxy for SSL such that if certain keyword match in URL then it should go to non SSL port (8080) and for rest of calls, it should go to SSL port 8443.

I have assigned 127.0.0.1 for example.com, if URL example.com entered in browser then it pointing localhost in my machine.

In Frontend SSL, acl rules are not working as desired because URL with action 'reporting' or 'account_management' are not referring to backend proxybackend. All traffic going through default_backend SSLappAPI even if URL having action=reporting.

Is acl not working because i am trying to use non-SSL port for SSL traffic or am i having any issue in below haproxy configuration.

Any help will be much appreciated

Example URL: https://example.com/api/?uid=NrpB1vfSR01KVsxw1YI5H4&action=reporting

frontend  main *:80

    acl is_api url_param(action) -i host_check
    use_backend appAPI      if is_api
    default_backend             appUI
    option             forwardfor

frontend ssl
    mode tcp
    bind *:443
    option tcplog
    acl server_ssl urlp_sub(action) -i reporting
    acl server_ssl urlp_sub(action) -i account_management
    acl server_ssl hdr(host) -i example.com
    acl server_ssl hdr_sub(host) -i example.com

    use_backend proxybackend if server_ssl
    default_backend             SSLappAPI
    option             forwardfor

backend appUI
    server      ui-server 127.0.0.1:8080 check maxconn 50#ui <- leave this format to allow for selective script replacement

backend appAPI
    server  api-server 127.0.0.1:8080 check maxconn 750#api <- leave this format to allow for selective script replacement
    timeout http-keep-alive 0s

backend SSLappAPI
    mode tcp
    server  api-server 127.0.0.1:8443 check maxconn 800#ssl <- leave this format to allow for selective script replacement

backend proxybackend
    server proxyserver 127.0.0.1:8080
1
sslhttpsload-balancinghaproxy

1 Answers

1
votes

Rule 'req_ssl_sni' did the trick. Seems like normal ACL not working for SSL and here 'req_ssl_sni' will come for rescue.

Working code is below for 2 SSL servers using same haproxy. Also below code will work for SSL certificates also, no need to install combined .PEM certificates at haproxy server.

frontend ssl mode tcp ssl bind *:443 option tcplog

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

use_backend SSLappAPI if { req_ssl_sni -i anoexample.com }
use_backend proxybackend if { req_ssl_sni -i example.com }

default_backend             SSLappAPI

backend SSLappAPI
mode tcp
server  api-server 127.0.0.1:8443 check maxconn 800#ssl <- leave this format to allow for selective script replacement

backend proxybackend
mode tcp
#option nolinger
option tcplog
balance roundrobin
hash-type consistent
option srvtcpka

# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m

# make sure we cover type 1 (fallback)
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2

# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello

# no timeout on response inspect delay by default.
tcp-response content accept if serverhello

# SSL session ID (SSLID) may be present on a client or server hello.
# Its length is coded on 1 byte at offset 43 and its value starts
# at offset 44.
# Match and learn on request if client hello.
stick on payload_lv(43,1) if clienthello

# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello

#option ssl-hello-chk

server proxyserver 127.0.0.2:443