1

UPDATE BELOW

________________

I decided to use HAProxy as reverse-proxy for SharePoint sites and without SSL everything works fine, but with SSL I can't start haproxy.service. I was trying with many configurations, but I can't figure it out...

Trying to start service:

$ sudo systemctl start haproxy.service
Job for haproxy.service failed because the control process exited with error code.
See "systemctl status haproxy.service" and "journalctl -xe" for details.

Status of the haproxy.service:

$ sudo systemctl status haproxy.service
     haproxy.service - HAProxy Load Balancer
       Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
       Active: failed (Result: exit-code) since date CEST;
         Docs: man:haproxy(1)
               file:/usr/share/doc/haproxy/configuration.txt.gz
      Process: ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=0/SUCCESS)
      Process: ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=1/FAILURE)
     Main PID: (code=exited, status=0/SUCCESS)
 systemd[1]: haproxy.service: Failed with result 'exit-code'.
 systemd[1]: haproxy.service: Service hold-off time over, scheduling restart.
 systemd[1]: Stopped HAProxy Load Balancer.
 systemd[1]: haproxy.service: Start request repeated too quickly.
 systemd[1]: Failed to start HAProxy Load Balancer.
 systemd[1]: haproxy.service: Unit entered failed state.
 systemd[1]: haproxy.service: Failed with result 'exit-code'.
 systemd[1]: haproxy.service: Start request repeated too quickly.
 systemd[1]: Failed to start HAProxy Load Balancer.
 systemd[1]: haproxy.service: Failed with result 'exit-code'.

Checking configuration file issues:

$ sudo haproxy -c -f haproxy.cfg
    Enter PEM pass phrase:
    [ALERT]: parsing [haproxy.cfg:31] : 'bind *:443' : unable to load SSL private key from PEM file './cert.pem'.
    [ALERT]: Error(s) found in configuration file : haproxy.cfg
    [ALERT]: Proxy 'http_id': no SSL certificate specified for bind '*:443' at [haproxy.cfg:31] (use 'crt').    
    [ALERT]: Fatal errors found in configuration.

HAProxy -vv:

$ sudo haproxy -vv
HA-Proxy version 1.7.5-2

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.1.0e
Running on OpenSSL version : OpenSSL 1.1.0f
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.39
Running on PCRE version : 8.39
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [COMP] compression
        [TRACE] trace
        [SPOE] spoe

Logs:

 haproxy: [ALERT]: parsing [/etc/haproxy/haproxy.cfg:31] : 'bind *:443' : unable to load SSL certificate file './cert.pem' file does not exist.
 haproxy: [ALERT]: Error(s) found in configuration file : /etc/haproxy/.cfg
 haproxy: [ALERT]: Proxy 'http_id': no SSL certificate specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:31] (use 'crt').
 haproxy: [ALERT]: Fatal errors found in configuration.

I'm using the same certificate (but divided: certificate, key, chain) for nginx on another server and It works. I created this one for HAProxy with cat cert.crt priv.key certchain.crt > cert.pem command and I tried in different orders, but error is the same. Also with command haproxy -c -f haproxy.cfg server is asking about pass phrase so I think that the certificate is okay (maybe I'm wrong) and something's wrong with the configuration file. Thank you for your time and help.

My haproxy.cfg:

    global    
        tune.ssl.default-dh-param 2048
        maxconn 4096
        user haproxy
        group haproxy
        daemon
        #ssl-server-verify none
    
    defaults
        mode http
        option forwardfor
        log 127.0.0.1 local0 notice
        maxconn 2000
        option httplog
        option dontlognull
        timeout connect 5000
        timeout client 50000
        timeout server 50000
            
    backend sharepoint
        mode http
        #balance roundrobin
        option redispatch
        cookie SERVERID insert nocache
        server spsrv xxx.xxx.xxx.xxx:80
            
    frontend http_id
        #bind *:80
        bind *:443 ssl crt ./cert.pem
        mode http
        reqadd X-Forwarded-Proto:\ https
        acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com:443
        use_backend sharepoint if hosts_sharepoint
        default_backend sharepoint

FIRST UPDATE

I tried with pass-through and now SharePoint is asking for credentials (after disabling IIS role) on port 80 and then SharePoint is redirecting to https with error "504 Gateway Time-out". This is my current haproxy.cfg:

global
    maxconn 4096
    user haproxy
    group haproxy
    daemon
defaults
    mode tcp
    log 127.0.0.1 local0 notice
    maxconn 2000
    option tcplog
    option dontlognull
    timeout connect 20s
    timeout client 10m
    timeout server 10m
frontend httpid
    mode tcp
    bind *:443
    acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
    use_backend sharepoint if hosts_sharepoint
    default_backend sharepoint
backend sharepoint
    mode tcp
    balance roundrobin
    option redispatch
    cookie SERVERID insert indirect nocache
    server st1 xxx.xxx.xxx.xxx:443
    option ssl-hello-chk

Also command: $ curl xxx.xxx.xxx.xxx:**80** --header 'Host: sharepoint.intranet.com' -vv returns 401 so the connection is working, but command with port 443 $ url xxx.xxx.xxx.xxx:**443** --header 'Host: sharepoint.intranet.com' -vv returns curl: (56) Recv failure: Connection reset by peer. Is my configuration file correct? Or maybe I need to configure IIS?

SECOND UPDATE

After restart the SharePoint server this configuration is working with pass-through:

global
    maxconn 4096
    user haproxy
    group haproxy
    daemon
defaults
    mode tcp
    log 127.0.0.1 local0 notice
    maxconn 2000
    option tcplog
    option dontlognull
    timeout connect 20s
    timeout client 10m
    timeout server 10m
frontend httpid
    mode tcp
    bind *:443
    acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
    use_backend sharepoint if hosts_sharepoint
    default_backend sharepoint
backend sharepoint
    mode tcp
    balance roundrobin
    option redispatch
    cookie SERVERID insert indirect nocache
    server st1 xxx.xxx.xxx.xxx:443
    option ssl-hello-chk
maar
  • 485
  • 6
  • 20

2 Answers2

1

You should avoid using relative paths in config files like ./cert.pem. Please change into an absolute path like /etc/ssl/cert.pem (adjust to the current path).

Also, check the cert.pem file itself. It should contain only printable text (not binary) with at least two -----BEGIN CERTIFICATE-----, -----END CERTIFICATE----- blocks (your certificate and a CA from the chain) and a -----BEGIN PRIVATE KEY-----, -----END PRIVATE KEY----- block (or may be an -----BEGIN RSA PRIVATE KEY-----, -----END RSA PRIVATE KEY-----).

If there were any binary inside the cert.pem file, you should convert the original files (cert.crt, priv.key) to PEM format and recreate the cert.pem file again. Correct order for the concatenation should be final cert, key, immediate issuer, next issuer, etc. You can leave out the root CA as it is considered a good practice not to include it (no real need, less bytes exchanged).

You may convert from the binary format (aka DER) to a text format (aka PEM) using openssl:

For the certs (input.crt would be the DER file and output.crt would be the new file in PEM format):

openssl x509 -inform DER -in input.crt -out output.crt

For the key (I assume it is an RSA key, which is the most usual) NOTE: it will ask for a (new) password for the output.key, see my comments on this later.

openssl rsa -inform DER -in input.key -out output.key

NOTE: Most servers assume that the key is not ciphered (that is, the next line of the -----BEGIN PRIVATE KEY----- contains ENCRYPTED). If that was the case and your server would still not start, try converting the key to an unencrypted format (NOTE: in this command, I assume the inputcipher.key file is already in PEM format):

openssl rsa -in inputcipher.key -nodes -out outputclear.key

As for the pass-through with the 504 error, in the later config you are pointing to server st1 xxx.xxx.xxx.xxx:443 whereas in the intercept config you were pointing to server spsrv xxx.xxx.xxx.xxx:80. Please re-check whether your backend is listening on port 80 or on port 443, but it seems that there is no backend listening on 443.

NuTTyX
  • 1,168
  • 5
  • 10
  • I don't know how, but after restarting SharePoint server everything is working with the configuration above (pass-through). So, I'd like to ask: 1. Which of the above configurations is better, safer or maybe will improve page load speed? 2. For now every site load is about 7 seconds - there are ways to decrease the load time? 3. Redirect role from HTTP to HTTPS is configured in IIS now. Will it be better to have a redirect role on the HAProxy server (if this is possible with pass-through)? – maar Sep 14 '18 at 17:38
  • From the user point of view, a pass-through is safer (encryption is made from the browser to the final server). As for speed... unless you do some caching in an interception proxy for images and css (negligible for most, since browsers will do some local cache), a pass-through will be faster: in an interception proxy there are 2 encryptions: one from the client to the proxy and another for the proxy to the final server, so it takes more time than a single (client to server) one. Unless there is a need for you to check/inspect/modify anything, pass-through is more than enough. – NuTTyX Sep 14 '18 at 18:01
  • Thank you for your answers. About caching, I didn't find how to do it with HAProxy, but I found Nuster. Configuration seems like in HAProxy and there is more options like for ex. caching. Looks good, did you use it? What do you think about it? – maar Sep 14 '18 at 22:57
  • Haven't heard about it. But cache is not worth it. Also, opinion based questions are forbidden here. It is not a chat. Please stick to questions about your configuration if my answer was not complete. – NuTTyX Sep 15 '18 at 10:15
0

Maybe It will be helpful for someone. In my case I have configured two network adapters on Linux - local network and public network. On Windows I have only local network - Windows is connecting with Linux in local network and then through HAProxy I can open the SharePoint site from the internet.

This is the correct configuration and in my case works (for SSL I used pass-through - redirect and certificate is on Windows IIS):

global
    maxconn 4096
    user haproxy
    group haproxy
    daemon
defaults
    mode tcp
    log 127.0.0.1 local0 notice
    maxconn 2000
    option tcplog
    option dontlognull
    timeout connect 20s
    timeout client 10m
    timeout server 10m
frontend httpid
    mode tcp
    bind *:443
    acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
    use_backend sharepoint if hosts_sharepoint
    default_backend sharepoint
backend sharepoint
    mode tcp
    balance roundrobin
    option redispatch
    server st1 xxx.xxx.xxx.xxx:443 #local address of the Windows server
    option ssl-hello-chk
maar
  • 485
  • 6
  • 20