#1 2015-05-12 18:51:02

AnthonySmith
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 4,055
Website

SSL termination through haproxy

whole post edited as its not going to happen smile

I have managed to get port 443 forwarding working at the same time as 80 though so people will be able to run ssl when I am finished !


https://upto32.com retro gaming and nostalgia forum that does not take itself to seriously smile

Offline

#2 2015-05-13 08:10:05

lee
Trusted Member
Registered: 2014-01-27
Posts: 10

Re: SSL termination through haproxy

I would be interested in this. Would it also work with Little Happy Cloud?

Offline

#3 2015-05-13 08:37:01

AnthonySmith
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 4,055
Website

Re: SSL termination through haproxy

yes it will work on both les and lhc


https://upto32.com retro gaming and nostalgia forum that does not take itself to seriously smile

Offline

#4 2015-05-13 15:42:26

yomero
Trusted Member
Registered: 2014-06-30
Posts: 222

Re: SSL termination through haproxy

o_O!
I don't get it. How are you managing to provide free SSL certs? =P

Offline

#5 2015-05-13 17:14:02

willie
Trusted Member
Registered: 2013-05-05
Posts: 423

Re: SSL termination through haproxy

Wait do you mean the end user would see a LES domain instead of the container operator's domain?  Most people would probably rather use their own domain, so this scheme is a compromise, but saving the cost of a certificate and domain registration makes it a useful thing.

Note that Let's Encrypt will supposedly offer free certificates to everyone pretty soon.  Right now there are the ones from Startcom, but they have annoying conditions attached.

Offline

#6 2015-05-13 19:42:37

AnthonySmith
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 4,055
Website

Re: SSL termination through haproxy

Its just SNI but I am trying to automate it so it works like CloudFlare for example go to this forum over https I don't have an ssl cert installed on the VPS hosting the forum.


https://upto32.com retro gaming and nostalgia forum that does not take itself to seriously smile

Offline

#7 2015-05-13 19:46:20

Neoon
Trusted Member
Registered: 2013-05-18
Posts: 168

Re: SSL termination through haproxy

Wait, so every other VM could spy on my traffic? naaaaaah not good.

Offline

#8 2015-05-13 19:47:51

yomero
Trusted Member
Registered: 2014-06-30
Posts: 222

Re: SSL termination through haproxy

Neoon wrote:

Wait, so every other VM could spy on my traffic? naaaaaah not good.


??? How is that?

Offline

#9 2015-05-13 19:57:26

AnthonySmith
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 4,055
Website

Re: SSL termination through haproxy

Neoon wrote:

Wait, so every other VM could spy on my traffic? naaaaaah not good.

sorry, how does SNI make your traffic widely available to everyone on the node vs standard http (current)?


https://upto32.com retro gaming and nostalgia forum that does not take itself to seriously smile

Offline

#10 2015-05-13 20:49:25

willie
Trusted Member
Registered: 2013-05-05
Posts: 423

Re: SSL termination through haproxy

Backtogeek wrote:

Its just SNI but I am trying to automate it so it works like CloudFlare for example go to this forum over https I don't have an ssl cert installed on the VPS hosting the forum.

I guess I still don't understand this: Cloudflare presents an actual certificate with the target site's domain in it, and that certificate has to be purchased from somewhere, unless Cloudflare has their own CA by now.  Similarly with SNI, there still has to be a certificate, either one for the target domain (willie.com or whatever, if it's my site) or one with a shared LES domain (maybe a subdomain on a wildcard cert so it could be willie.lowendspiritusers.com or something). 

If it's willie.com then I still have to buy or otherwise get hold of a certificate.

If it's lowendspiritusers.com then the end user experience is muddied, and also there's security issues with VPS's on that domain being able to see the browser cookies of other VPS's, and maybe also do malicious cross-site scripting against other VPS's without being stopped by the same-origin policy.

So I think the shared-certificate idea doesn't really work.  Now if LES becomes big enough to afford its own top-level domain (100k USD/year?) then it could create domains like willie.LES and issue certificates for them for free, without those security problems.  OVH and maybe Google apparently have done something like that. 

Meanwhile though I think we're stuck buying our own domains and certificates.  I wish there was a way around this and I'll keep thinking about it.

Last edited by willie (2015-05-13 20:54:12)

Offline

#11 2015-05-13 21:27:45

AnthonySmith
Low End Boss
From: ~/
Registered: 2013-02-13
Posts: 4,055
Website

Re: SSL termination through haproxy

after playing around with it for a while I think your right, you learn by doing as they say smile

anyway the good news being that I have ssl redirection working anyway so I will pick that up tomorrow and get haproxy ready for :443 forwarding for everyone so you can use your own certs.


https://upto32.com retro gaming and nostalgia forum that does not take itself to seriously smile

Offline

#12 2015-05-13 22:28:36

yomero
Trusted Member
Registered: 2014-06-30
Posts: 222

Re: SSL termination through haproxy

willie wrote:

unless Cloudflare has their own CA by now.

Yep, cloudflare has that. Well, properly no, they have some business with globalsign, and provide us with multidomain wildcard certs.

Offline

#13 2015-07-17 12:09:06

Green65
Member
Registered: 2015-07-17
Posts: 5

Re: SSL termination through haproxy

I am having problems getting SSL/TLS to work on NL 2 (x.x.x.25).

The domains work on port 80 but not 443 I just get an "unable to connect" error. If I change the port to one of my allocated ones it (https://example.com:12345) it works.

Offline

#14 2015-08-19 23:51:25

01
Member
Registered: 2015-02-13
Posts: 9

Re: SSL termination through haproxy

To Backtogeek: Thank you very much for implementing this. I just stopped by after a few months not checking the forums here and discovered it's all working and in SolusVM to boot! Brilliant! With letsencrypt.org on the way later in the year it's perfect timing too.

Anyway I just wanted to say thanks. This is much appreciated and will be very useful to me and many others I'm sure. All the best to you.

EDIT: Spoke too soon. Since I'm an idiot I had not noticed my HTTP client was succeeding because it was falling back to IPV6. It appears IPV4 SSL SNI forwarding to port 443 is not yet implemented. Sorry for the noise. I'll keep waiting smile smile

Last edited by 01 (2015-08-20 06:28:40)

Offline

#15 2015-12-06 18:30:19

SomeGuy
Member
Registered: 2015-05-30
Posts: 8

Re: SSL termination through haproxy

Backtogeek wrote:

after playing around with it for a while I think your right, you learn by doing as they say smile

anyway the good news being that I have ssl redirection working anyway so I will pick that up tomorrow and get haproxy ready for :443 forwarding for everyone so you can use your own certs.

Would someone mind explaining in a bit more detail how this works? Can we forward 443 requests to one of our open ports?

(I tried using the CloudFlare SSL, but I think I confused myself. If you use their certificate system, does it mean that your web server knows nothing about the SSL certificate - and you don't have to mess about with any VirtualHost type settings?)

Offline

#16 2015-12-07 03:57:19

yomero
Trusted Member
Registered: 2014-06-30
Posts: 222

Re: SSL termination through haproxy

@SomeGuy

No, you don't forward to your ipv4 ports, but instead to your ipv6 addresses. It should be something like this:

- You configure your sites, and your server SHOULD listen to ipv6.
- In solusvm you add some ipv6 addresses from your pool (Inception hosting, no idea with another provider). At the end you should have some ipv6 addresses in your VPS
- You create your cloudflare account, add your domain, and modify your DNS servers to the cloudflare ones.
- After verification, at cloudflare, add AAAA entries (instead of A) pointing to the ipv6 addresses of your server.
- When you are able to reach your site via ipv4 like you normally do, then you should enable the SSL option in the "crypto" section of cloudflare, with the "Flexible" option.

And at the end, your server does know nothing about SSL and you don't need to get/create any certificate.

Last edited by yomero (2015-12-07 03:58:14)

Offline

#17 2015-12-07 22:14:20

SomeGuy
Member
Registered: 2015-05-30
Posts: 8

Re: SSL termination through haproxy

Thanks very much for explaining that yomero smile

Just to make sure I understand the principles and not just the method... For an easy life you can do this:

  • Bypass the NAT port issue altogether by using IPv6

  • Then use 'lowest' form of CloudFlare SSL - Flexible, but leave VPS unchanged from standard 80 type web server settings

  • = Your VPS never needs to know about the TLS because it's only between the CloudFlare servers and external connection? -> No need for Apache VirtualHost redirects, etc

But for a more secure setup, using CloudFlare's Full SSL option, you would setup your web server with a self-signed certificate (with extra 443 VirtualHost settings) all over IPv6? Please excuse faulty terminology

Offline

#18 2015-12-14 02:59:57

yomero
Trusted Member
Registered: 2014-06-30
Posts: 222

Re: SSL termination through haproxy

"you would setup your web server with a self-signed certificate"

For the Full SSL you still need a cert signed by a CA. But there is a middle option that allows you to use that self signed cert. Still, I can't see enough benefits on having the Full options vs the flexible options, unless someone does a MiTM attack along the routes between your server and the cloudflare servers.

Offline

Board footer

Powered by FluxBB