Join Log in
Score:0
Eos Antigen avatar Server

Basic auth and data from curl to HAProxy backend not working on TLS Termination - but works on TLS passthrough

ru flag
Eos Antigen 
listen pki
    bind *:8884 ssl no-sslv3 crt /HAPROXY.pem.ecdsa verify required ca-file /CA_CHAIN.pem
    mode http
    http-request add-header Content-Type "application/pkcs10"
    http-request add-header Content-Transfer-Encoding "base64"
    http-request add-header Authorization "Basic somebase64encodedstring"
    default_backend pkis_1
    
backend pkis_1
    mode http
    http-request add-header Content-Type "application/pkcs10"
    http-request add-header Content-Transfer-Encoding "base64"
    http-request add-header Authorization "Basic somebase64encodedstring"
    server pkis my.domain.com:443 ssl verify none

Using the above config we are able to call the backend successfully from curl on a certain endpoint, using the same certificates, but we are blocked on another endpoint of the same server which requires basic auth.

The curl call is:

curl --cacert '$INITIAL_CACERT' --key '$INITIAL_DEVICE_KEY' --cert '$INITIAL_DEVICE_CERT' --user '$USER':'$PWD' --data @'$1'/'$KEY_NAME'-key.b64 -o '$1'/'$KEY_NAME'-cert-p7.b64 -H "Content-Type: application/pkcs10" -H "Content-Transfer-Encoding: base64" https://'$PKI_SERVER':'$PORT'/.well-known/est/'$2'/simpleenroll

Is there some way to forward everything from this curl command to the backend?

The weird thing is , when we remove all ssl auth and switch to tcp mode as transparent proxy, the basic auth works!

42
0 + 0
Score:0
avatar Server
cn flag
antimatter

I am not able to understand fully on your HAProxy confiugration but it looks like you are hardcoding headers for your backend. Instead I would add the HTTP headers from curl. Don't forget content-type, basic auth information are meant to be passed from the client as not all requests will have same content type or basic authentication. Check out answers from here on how to pass basic auth information in curl.

0 + 0
Eos Antigen avatar
ru flag
Eos Antigen
That's correct what you say. we just hard coded those headers because we thought they were not passed down from the request. >The problem is that the basic auth is not somehow working so we get 401 on the backend which is an Apache server. Maybe the data section is not passed correctly?
0
Reply
cn flag
antimatter
Did you Base64Encode the basic authentication if you are adding them as a header from curl? 401 would be thrown when your basic auth credentials are incorrect which means you have not sent it correctly. Btw, you should move away from basic authentication as it is considered poor man's security in today's context.
0
Reply
Eos Antigen avatar
ru flag
Eos Antigen
will do check the base64 encoding again because maybe something is missed there. But the basic auth is just an extra auth step behind the main cert auth.... thanks...
0
Reply
Score:0
Eos Antigen avatar Server
ru flag
Eos Antigen

https://serversforhackers.com/c/using-ssl-certificates-with-haproxy

As the above article writes:

However, you lose the ability to add or edit HTTP headers, as the connection is simply routed through the load balancer to the proxied servers.

This means your application servers will lose the ability to get the X-Forwarded-* headers, which may include the client's IP address, port and scheme used.

So, I am realizing that it is not possible to propagate the required headers with TLS termination, and that's why the requests work when we play with TLS-passthrough mode!

0 + 0
cn flag
antimatter
Where is SSL terminated?
0
Reply
Eos Antigen avatar
ru flag
Eos Antigen
you may see in the snippet on my question, in the first listen line...
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.