0

Following reverse proxy work for en.wikipedia.org but not zh.wikipedia.org, my censor prevents access to zh.wikipedia.org by SNI. if no SNI then just correct IP in /etc/hosts is enough.

Original configuration:

defaults
    log 127.0.0.1:514 user
    timeout connect 5000s
    timeout client 5000s
    timeout server 5000s
listen reverse-proxy
    bind 127.0.0.1:443
    mode tcp
    balance static-rr
    server srv1 208.80.153.224

Following reverse proxy cause Firefox say:

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.

Changed configuration:

global
    tune.ssl.default-dh-param 2048
defaults
    log 127.0.0.1:514 user
    timeout connect 5000s
    timeout client 5000s
    timeout server 5000s
listen reverse-proxy
    bind 127.0.0.1:443 ssl crt /home/test/wiki.pem
    mode http
    http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
    balance static-rr
    server srv1 208.80.153.224 ssl verify none
illiterate
  • 149
  • 7
  • 1
    Please don't make such radical changes to your question, you are invalidating existing answers. Either add your new configuration below, and mark it clearly as a new configuration, or accept the answer and create a new question with your new configuration. – Gerald Schneider Mar 08 '19 at 10:42
  • @GeraldSchneider I'm sorry for my bad, can you tell me edit this question vs do accept the answer then create a new question, which is better? – illiterate Mar 08 '19 at 11:02
  • 1
    This has been diskussed here: https://meta.serverfault.com/questions/5697/should-follow-up-questions-be-asked-in-comments-or-on-their-own – Gerald Schneider Mar 08 '19 at 13:30

2 Answers2

2

In this configuration you cannot, because you're using mode tcp proxying, so your haproxy's just transparently passing the entire HTTP session to the backend. You should switch to the mode http and manipulate headers.

drookie
  • 8,625
  • 1
  • 19
  • 29
-1

As drookie said, TCP mode can't do this, but in Haproxy the HTTP mode doesn't send SNI field by default.
The line http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" don't make sense.(you can delete it in this case)
This real problem source is the browser configuration as it rejects all unknown issuer by default

WARNING: The following workaround will disable HSTS entirely, but you can use the HTTPS Everywhere to get similar security.
In Firefox open about:config then change network.stricttransportsecurity.preloadlist to false, this reverse work as except.
Also, you might need to delete SiteSecurityServiceState.txt in your Firefox to clear HSTS information in your Firefox.

WARNING: Don't use the CA certificate way if you can't verify your backend server
if you don't want to use browser extension then create one CA certificate for you then make your browser trust your CA certificate.

illiterate
  • 149
  • 7
  • 1
    **WARNING: This will disable HSTS entirely.** HSTS makes sense whether it's related to the problem or not. Please do not suggest breaking browser security features. – Esa Jokinen Mar 08 '19 at 19:16