Join Log in
Score:0
dm_pop avatar Server

HAproxy. Configure ssl connection with self-signed certificate between frontend and backend

us flag
dm_pop

I need some help to configure ssl connection with self-signed certificate between Haproxy and Squid. In my case - Haproxy (192.168.10.110) is a frontend and SQUID (192.168.10.149) is a backend. Without self-signed certificate it works perfectly. But I need to establish a secure connection between frontend and backend to prevent attack Man in the middle. So I created a self-signed certificate on backend (SQUID).I generate 4 file's on backend: squid1.pem, squid1.crt, squid1.key, squid1.csr. After that I copy squid1.pem to frontend, pointed to him in Haproxy config (in section backend). But it not work... I check Haproxy work by curl request on Haproxy: curl https://ifconfig.io -v --proxy 192.168.10.110:4483

  • Trying 192.168.10.110:1383...
  • Connected to 192.168.10.110 (192.168.10.110) port 4483 (#0)
  • allocate connect buffer!
  • Establish HTTP proxy tunnel to ifconfig.io:443 *> CONNECT ifconfig.io:443 HTTP/1.1 *> Host: ifconfig.io:443 *> User-Agent: curl/7.77.0 *> Proxy-Connection: Keep-Alive *>
  • Proxy CONNECT aborted
  • CONNECT phase completed!
  • Closing connection 0 curl: (56) Proxy CONNECT aborted

Haproxy conf file:

global
    log                     127.0.0.1 local0
    log                     127.0.0.1 local1 notice
    maxconn                 4096
    daemon defaults
    log                     global
    option                  dontlognull
    retries                 3
    option                  redispatch
    maxconn                 2000
    timeout client          30s
    timeout server          30s
    timeout connect         30s
defaults
frontend Frontend4483
       bind    192.168.10.110:4483
       mode tcp
            default_backend 4483
backend 4483
    mode tcp
    balance roundrobin
    option tcplog
    server B1S1 192.168.10.149:4128 ssl ca-file /etc/ssl/private/squid1.pem

SQUID conf file:

acl localnet src 192.168.10.110/32      

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl Safe_ports port 1025-65535  # unregistered ports
acl CONNECT method CONNECT

http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost
http_access deny all

http_port 192.168.10.149:4128

On backend tcpdump say:

kG......HTTP/1.1 400 Bad Request
Server: squid/4.15
Mime-Version: 1.0
Date: Tue, 20 Jul 2021 13:57:36 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3328
X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from localhost
X-Cache-Lookup: NONE from localhost:4128
Via: 1.1 localhost (squid/4.15)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>

I have 2 questions: What I do wrong, how to fix it? Can I generate self-signed cert on Haproxy and copy them on each backend (SQUID proxy)?

332
0 + 1
ssl
djdomi avatar
za flag
djdomi
what are you trying to do? remind that it looks for me like a x and y problem
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.