All geek questions in one place

Haproxy with SSL and Notls

I installed a new version of haproxy, but I need to disable TLS, and the keyword "notlsv1" does not work. In my real configuration, I use stud to manage https sessions with these parameters:

-B 1000 -n 8 -b 127.0.0.1 8080 -f *, 443 --ssl -c ALL --write-proxy

And I'm trying to replace it with a new version of haproxy.

My configuration file:

global log 127.0.0.1 local0 info maxconn 32000 user haproxy group haproxy daemon nbproc 1 stats socket /tmp/haproxy.sock defaults timeout connect 10000 timeout client 30000 timeout server 30000 listen ha_stats 0.0.0.0:8088 balance source mode http timeout client 30000ms stats enable stats uri /lb?stats frontend https-requests mode http bind :80 bind :443 ssl crt ./haproxy.pem notlsv1 acl is_front hdr(host) -i front.mydomain.com acl is_service hdr(host) -i service.mydomain.com use_backend bkfront if is_front use_backend bkservice if is_service default_backend mydomain.com backend mydomain.com mode http server mywebsite www.mydomain.com:80 backend bkfront mode http balance roundrobin option httpchk GET / HTTP/1.1\r\nHost:\ front.mydomain.com server web05 192.168.200.5:80 check backend bkservice mode http balance roundrobin option httpchk GET / HTTP/1.1\r\nHost:\ service.mydomain.com server web01 192.168.200.1:80 check

http and https sessions work very well with firefox, but I have problems with Chrome and Internet Explorer. To solve them, using Stud I need to add -ssl.

Thanks,

DECISION:

Thanks Willy for the help. Below I give commands to solve this problem:

 wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev12.tar.gz wget http://haproxy.1wt.eu/download/1.5/src/snapshot/haproxy-1.5-dev12-patches-LATEST.tar.gz tar xvzf haproxy-1.5-dev12.tar.gz mv haproxy-1.5-dev12-patches-LATEST.tar.gz haproxy-1.5-dev12 cd haproxy-1.5-dev12/ tar xvzf haproxy-1.5-dev12-patches-LATEST.tar.gz patch -p1 < haproxy-1.5-dev12-patches-20121009/*.diff make TARGET=linux26 USE_OPENSSL=1 sudo make PREFIX=/opt/haproxy-ssl install

And replace:

 bind :443 ssl crt ./haproxy.pem notlsv1

in

 bind :443 ssl crt ./haproxy.pem force-sslv3
+4
source share
1 answer

This is because in OpenSSL, notlsv1 disables only TLSv1.0, not later versions! If you need it, you better download the last snapshot from the site and use "force-sslv3" instead of "notlsv1". It will force SSLv3 exclusively and do what you currently have with stud.

+3
source

Source: https://habr.com/ru/post/1438599/

More articles:


All Articles